b'   THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S\nPRE-ACQUISITION PLANNING FOR AND CONTROLS\n OVER THE SENTINEL CASE MANAGEMENT SYSTEM\n\n\n\n         U.S. Department of Justice\n       Office of the Inspector General\n                Audit Division\n            Audit Report 06-14\n               March 2006\n\x0c              THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S\n           PRE-ACQUISITION PLANNING FOR AND CONTROLS\n            OVER THE SENTINEL CASE MANAGEMENT SYSTEM\n\n\n                        EXECUTIVE SUMMARY\n\n       In March 2005, the Federal Bureau of Investigation (FBI)\nterminated a 3-year, $170 million effort to develop a modern case\nmanagement system called the Virtual Case File (VCF) and announced\na new project called Sentinel. As detailed in the Office of the Inspector\nGeneral\xe2\x80\x99s (OIG) February 2005 audit report on the FBI\xe2\x80\x99s larger Trilogy\nInformation Technology Modernization Project, the VCF project failed\nfor a variety of reasons, including poorly defined design requirements,\nlack of mature Information Technology Investment Management\n(ITIM) processes, and poor management continuity and oversight. 1\n\n       With Sentinel, the FBI is relying on improved management\nprocesses, use of commercially available components, and a four-\nphase approach over 39 to 48 months to develop a replacement for its\nobsolete Automated Case Support (ACS) system. As of February\n2006, the FBI had not disclosed its specific cost estimates for Sentinel\nbecause the contract to a private information technology (IT) systems\ndeveloper had not yet been awarded. However, in response to\ncongressional inquiries, the FBI has cited a cost between $400-$500\nmillion to develop the system. According to the FBI, a more precise\ncost estimate will be available once the FBI awards the Sentinel\ncontract in calendar year 2006.\n\n      The OIG performed this audit of the Sentinel project at the\nrequest of the FBI Director and congressional appropriations\ncommittees. This audit is the first in a series of audits that the OIG\nintends to conduct on an ongoing basis to evaluate the development\nand implementation of Sentinel. The objective of this first audit was to\nevaluate the FBI\xe2\x80\x99s pre-acquisition planning for Sentinel, including the\napproach, design, cost, funding sources, timeframe, contracting\nvehicle, and oversight structure. Our future audits will examine the\ndevelopment of the system over its four phases and assess whether\ncost, schedule, performance, and technical benchmarks are being met.\n\n\n\n       1\n         The Department of Justice, Office of the Inspector General, The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information Technology\nModernization Project, Audit Report Number 05-7, February 2005.\n\n\n                                          i\n\x0cBackground to Sentinel\n\n      A major objective of the FBI\xe2\x80\x99s IT modernization project is to\nreplace the FBI\xe2\x80\x99s antiquated ACS. During a variety of OIG reviews\nover the past several years, we reported that ACS uses outmoded\ntechnology, is cumbersome to operate, and does not provide\nnecessary workflow and information-sharing functions.\n\n      The FBI expects that Sentinel will provide it with a web-enabled\ncase management system that includes records management,\nworkflow management, collected item and evidence management, and\nrecords search and reporting capabilities, all of which will replace its\ncurrent paper-based case management system. The FBI intends to\nimplement Sentinel in four phases, with each phase providing distinct\ncapabilities until the overall project is completed in 2009. The FBI\nexpects to complete each of the phases in 12 to 18 months, with the\nphases overlapping. For example, Phase II will begin about 3 months\ninto Phase I. According to the FBI, the four phases will provide the\nfollowing capabilities.\n\n      \xe2\x80\xa2   Phase I will provide the web-based Sentinel portal. Initially,\n          the portal will allow access to ACS data and eventually to data\n          in the new case management system. It will also include a\n          case management \xe2\x80\x9cworkbox\xe2\x80\x9d that will summarize a user\xe2\x80\x99s\n          workload (the case files an agent or analyst is working on),\n          and provide automatic indexing in case files according to\n          person, place, or thing.\n\n      \xe2\x80\xa2   Phase II will begin the transition to a paperless case records\n          system by providing electronic case document management\n          and a records repository. A workflow tool will support the\n          movement of electronic case files through the review and\n          approval process, while a security framework will provide\n          access controls and electronic signatures.\n\n      \xe2\x80\xa2   Phase III will provide a new Universal Index (UNI), which is a\n          database of people, places, or things that relate to a case.\n          Expanding the number of attributes in the system will enable\n          more precise searching and will enhance agents\xe2\x80\x99 ability to\n          \xe2\x80\x9cconnect the dots\xe2\x80\x9d among cases.\n\n      \xe2\x80\xa2   Phase IV will implement Sentinel\xe2\x80\x99s new case management and\n          reporting capabilities, including the management of tasks and\n          evidence. During this phase, Sentinel will be connected to\n\n\n                                    ii\n\x0c         ACS, data on closed cases will be migrated from ACS to\n         Sentinel, and the process to retire ACS will begin.\n\n       In reviewing the management processes and controls the FBI\nhas applied to the pre-acquisition phase of Sentinel, we believe that\nthe FBI has adequately planned for the project and this planning\nprovides reasonable assurance that the FBI can successfully complete\nSentinel if the processes and controls are implemented as intended.\nHowever, we have several concerns about the project that require\naction and continued monitoring: (1) the incomplete staffing of the\nPMO, (2) the FBI\xe2\x80\x99s ability to reprogram funds to complete the second\nphase of the project without jeopardizing its mission-critical\noperations, (3) Sentinel\xe2\x80\x99s ability to share information with external\nintelligence and law enforcement agencies and provide a common\nframework for other agencies\xe2\x80\x99 case management systems, (4) the lack\nof an established Earned Value Management (EVM) process, (5) the\nFBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs, and (6) the lack of\ncomplete documentation required by the FBI\xe2\x80\x99s ITIM processes.\n\nNew IT Management Processes\n\n       In previous reports, we were critical of the FBI\xe2\x80\x99s lack of ITIM\nprocesses and Enterprise Architecture (the blueprint for its current and\nfuture IT environment) in the implementation of Trilogy. We believe\nthat these weaknesses contributed, in large part, to the FBI\xe2\x80\x99s past\nfailures in developing IT systems.\n\n       In this audit, we found that since the troubled Trilogy project\nand VCF failure, the FBI has established ITIM processes through its\nLife Cycle Management Directive (LCMD) and through continued work\non fully defining its Enterprise Architecture. The FBI\xe2\x80\x99s newly created\nIT management processes, reviews, and controls, coupled with\nexternal oversight by the OIG, contractors, congressional committees,\nand others, should help the FBI identify and minimize failures to\nachieve cost, schedule, performance, and technical benchmarks for the\nSentinel project.\n\nLife Cycle Management Directive\n\n      In November 2004, the FBI established an initial Life Cycle\nManagement Directive, which it has since refined and is applying to\nthe Sentinel project. The LCMD governs all aspects of an IT project,\nincluding planning, acquisition, development, testing, and operations\nand maintenance. The FBI\xe2\x80\x99s LCMD contains four overlapping\n\n\n                                   iii\n\x0ccomponents: life cycle phases, control gates, project level reviews,\nand key support processes.\n\n      Nine life cycle phases require FBI management approvals during\nthe development, implementation, and retirement of IT projects. The\napprovals occur through seven control gates in which an FBI\nexecutive-level review board discusses and approves the project\nbefore it proceeds to the next control gate. The control reviews, in\nturn, are based on the results of project-level reviews described below.\n\n      As of December 2005, the FBI\xe2\x80\x99s Investment Management Project\nReview Board (IMPRB) had approved the Sentinel project through two\ncontrol gates covering three of the nine life cycle phases: concept\nexploration, requirements development, and acquisition planning.\nThese three phases covered the following planning aspects of Sentinel.\n\n      \xe2\x80\xa2   Concept exploration identified the mission need, evaluated\n          solutions, and developed a business plan.\n\n      \xe2\x80\xa2   Requirements development defined the operational, technical,\n          and testing needs.\n\n      \xe2\x80\xa2   Acquisition planning allocated the requirements among the\n          various development stages, researched and applied lessons\n          learned from previous projects, identified potential product\n          and service providers, and determined funding sources.\n\n      The remaining life cycle phases will cover source selection where\nproposals are solicited and evaluated and the vendor is selected;\ndesign of the system\xe2\x80\x99s components and connectivity; testing of system\ncomponents and the overall product; implementation and integration\nof the operational system, including training; operations and\nmaintenance to support the system; and disposal of Sentinel when it\nreaches the end of its life cycle.\n\n      The FBI completed two Sentinel control gates by the conclusion\nof our field work for this audit report in December 2005. The review\nboard approved the system concept in mid-July 2005 and the\nacquisition plan in late-July 2005. The latter review approved\ndocumentation of the system specifications and interface controls, as\nwell as the project approach and resource estimates. Sentinel will be\nrequired to pass through four more control gates \xe2\x80\x94 final design\nreview, deployment readiness, system test readiness, and operational\nacceptance review \xe2\x80\x94 and will be reviewed by four other executive-\n\n\n                                   iv\n\x0clevel review boards as the project proceeds. 2 The next control gate,\nfinal design review, is led by the Technical Review Board and seeks to\nensure that the project design complies with technical requirements\nand will meet the FBI\xe2\x80\x99s needs.\n\n       The various executive-level control gate reviews are based in\npart on the results of more detailed project-level reviews. The LCMD\ncalls for the FBI\xe2\x80\x99s Program Management Office to conduct these\nproject reviews. By December 2005, the FBI-wide Program\nManagement Office had conducted two project-level reviews that fed\ninto the two higher-level control gate reviews. The first was a\nmission-needs review approving Sentinel\xe2\x80\x99s mission requirements, and\nthe second was a system specification review approving documents for\nthe system specifications and the external interface controls. The\nsystem specification review was the decision point that led to\ndevelopment of Sentinel\xe2\x80\x99s acquisition plan, the allocation of the\nrequirements to the four phases of the project, and the development\nof project plans to carry out the acquisition.\n\n      In addition to the project-level reviews, the LCMD contains 23\nkey support processes that provide additional support to the\ndevelopment of IT projects within the FBI. Rather than being created\nfor specific projects, these processes cover organization-wide\nmanagement functions, such as strategic planning. As a result, the\nkey support processes affect how individual projects such as Sentinel\nare managed within the FBI. Key support processes are also\nperformed independently from the life cycle phases, but the\ndeliverables associated with each key process area are integrated into\nthe project-level and control gate reviews where applicable.\n\n      In examining the implementation of the LCMD for Sentinel thus\nfar \xe2\x80\x94 a vital element in providing internal management oversight and\ncontrol over the project \xe2\x80\x94 we concluded that the FBI\xe2\x80\x99s ITIM processes\nappear to be sound and were generally being followed. We also found\nthat the FBI successfully completed most of the documentation\nrequired for the first three phases of the nine-phase life cycle.\nHowever, as of December 2005, the FBI had not yet completed the\nsystem security plan or the verification and validation plan as required\nby the LCMD. Nevertheless, Sentinel was approved to proceed past\nthe second control gate without these two plans. The FBI explained\nthat: (1) the system security plan cannot be completed until\n\n       2\n         The LCMD has a seventh control gate at the end of a system\xe2\x80\x99s life cycle to\nauthorize the termination of operations and maintenance and the disposal of system\nassets.\n\n\n                                         v\n\x0cSentinel\xe2\x80\x99s vendor provides detailed information on the project\xe2\x80\x99s design,\nand (2) a separate contract will be awarded to develop an Independent\nVerification and Validation (IV&V) plan.\n\n      The FBI further explained that the system security plan will\nprovide detail necessary for the completion of certification and\naccreditation of the applications being created for Sentinel, while the\nIV&V plan will provide for an independent control to assess the\nimplementation of the system according to technical and performance\nbaselines. We believe the FBI\xe2\x80\x99s explanation for deferring these two\nplans are reasonable, given the timing of the contract for Sentinel.\nHowever, in our next audit, we will monitor whether the FBI completes\nthe system security plan and the IV&V plan during the early stages of\nSentinel\xe2\x80\x99s development.\n\nRisk Management\n\n      The purpose of risk management is to assist the program\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\nprogram. A risk management plan identifies procedures used to\nmanage risk throughout the life of the program.\n\n      We found that the FBI has instituted a risk management process\nfor Sentinel. Although Risk Review Board meetings have been held\nbiweekly since the project began, the FBI stated that it plans to hold\nweekly meetings once the Sentinel contract is awarded. When the\nRisk Review Board identifies specific risks, they are discussed at\nmonthly Program Management Review sessions and other Sentinel\noversight meetings. Risks are categorized by severity and identified as\neither open or resolved. Open risks are tracked until resolved.\n\n       During the initial life cycle phase of Sentinel, the FBI developed a\nmission-needs statement that assessed five areas for risk mitigation:\n(1) user acceptance, (2) implementation plan, (3) system capacity and\nperformance, (4) data migration, and (5) infrastructure support. In\naddition, the Sentinel acquisition plan identified the following seven\nrisks.\n\n      \xe2\x80\xa2   Several parallel IT initiatives within the FBI can affect the\n          scope of Sentinel.\n\n      \xe2\x80\xa2   The Sentinel project award schedule is very aggressive and\n          the target award date may not be attainable.\n\n\n                                     vi\n\x0c      \xe2\x80\xa2   Sentinel must interface with numerous FBI legacy systems\n          operated outside the FBI\xe2\x80\x99s Office of the Chief Information\n          Officer (CIO). 3\n\n      \xe2\x80\xa2   The FBI mission may evolve, or Sentinel user requirements\n          may change, resulting in scope creep prior to system\n          completion.\n\n      \xe2\x80\xa2   Initial project costs may be underestimated.\n\n      \xe2\x80\xa2   Staffing resources (prime and subcontractors) that meet FBI\n          requirements may not be available when needed.\n\n      \xe2\x80\xa2   The development contractor may be unable to meet the\n          proposed notional schedule.\n\nAwareness of these risks and a systematic monitoring and resolution\nof those risks is critical to keeping Sentinel on track.\n\nProject Oversight\n\n      In addition to the management controls incorporated into its\nLCMD, the FBI has established two additional forms of project\nmanagement and oversight for Sentinel: a Program Management\nOffice or PMO established specifically for Sentinel, and an array of\nexternal oversight bodies. The PMO, as the FBI\xe2\x80\x99s direct manager of\nthe Sentinel project, is vital to Sentinel\xe2\x80\x99s success. Among the many\nreasons for the failure of the VCF was a fragmented and ill-equipped\nPMO that suffered from rapid personnel turnover. Simply put, the VCF\nwas poorly managed. A well functioning PMO can reduce the risks that\nthreaten the successful implementation of the Sentinel project.\n\n       While the FBI has established a PMO dedicated exclusively to\nSentinel, this PMO has not yet been fully staffed. Without a fully\nstaffed, stable, and capable PMO managing the project on a daily\nbasis, Sentinel is at risk. The FBI intends for the PMO to be comprised\nof systems engineers, technical assistance personnel, and other\nsubject matter experts from the FBI, other government agencies,\nfederally funded research and development centers, and contractors.\nAs of January 30, 2006, the PMO had 51 of the planned full staffing\nlevel of 76 employees and contractors on board.\n\n      3\n        As discussed previously, Sentinel is to be developed using a phased, or\nincremental, approach whereby functionality will be added in stages.\n\n\n                                        vii\n\x0c       In response to our concerns about staffing, Sentinel\xe2\x80\x99s program\nmanager stated that because of the pre-award spending caps the FBI\nplaced on the program, fully staffing the PMO during the pre-award\nphase was premature. As a result, the program manager said the FBI\nis only hiring essential program management oversight personnel\nduring this initial phase to ensure that the PMO is prepared to handle\ncontract award activities. However, in light of the FBI\xe2\x80\x99s aggressive\ndevelopment and deployment schedule for Sentinel, it is critical for the\nFBI to fully staff the PMO office as soon as possible. In our opinion,\nthe significant turnover of project management during the Trilogy\nproject \xe2\x80\x94 15 different key IT managers over the course of its life,\nincluding 10 individuals serving as project managers for various\naspects of Trilogy \xe2\x80\x94 was a major reason for Trilogy\xe2\x80\x99s problems. We\nbelieve that sufficiently staffing the Sentinel PMO at the outset of the\nproject is key to establishing the stable management staff required to\nproperly oversee the project.\n\n      At the time of our audit, the FBI was working to identify qualified\ncandidates to fill the vacant PMO positions, many of whom will be\ncontractor personnel. Another reason for our concern is that security\nclearances will be required for the staff of the PMO and, according to\nthe FBI, obtaining the clearances may delay personnel coming\nonboard.\n\n       In addition, it is critical for the PMO to have stable leadership.\nIn November 2005 the FBI appointed a seasoned program manager on\ndetail to the FBI from the Central Intelligence Agency to manage the\nSentinel project. However, this program manager\xe2\x80\x99s current agreement\ncalls for a 2-year detail with an option to extend to a third year. In\nlight of the likelihood of this manager returning to the CIA before\nSentinel is completed, the FBI plans to groom a successor for him. We\nbelieve that continuity in this position, or a seamless transition to a\nqualified successor, is critical for the success of the project.\n\n       In addition, continuity in the FBI\xe2\x80\x99s CIO position is important.\nDuring development of Trilogy and the VCF, the FBI had five different\nCIOs or Acting CIOs. However, in the last several years, the FBI has\nhad continuity in the CIO position. In July 2004, the FBI reorganized\nits IT resources and established the Office of the CIO to centrally\nmanage all IT responsibilities, activities, policies, and employees\nacross the FBI. The current CIO, who has been in his position since\nMay 2004, now has responsibility for the FBI\xe2\x80\x99s overall IT efforts,\nincluding developing the FBI\xe2\x80\x99s IT strategic plan and operating budget,\n\n\n\n                                   viii\n\x0cdeveloping and maintaining the FBI\xe2\x80\x99s technology assets, and providing\ntechnical direction for the re-engineering of FBI business processes.\n\n      External oversight organizations also play an important role in\nmonitoring the Sentinel project and identifying problems that the FBI\nmay not see. These groups include congressional oversight\ncommittees, the OIG, and several other outside organizations. To its\ncredit, the FBI has enlisted the assistance of its Science and\nTechnology Board, RAND, the Markle Foundation, and a retired\ncorporate chief technology officer to advise the FBI on areas of\ninformation sharing and privacy, IT strategic planning and\ninvestments, and management of large IT acquisitions. 4 In addition,\nthe Department of Justice CIO and the Office of Management and\nBudget are also tracking the progress of Sentinel.\n\nEarned Value Management\n\n      The FBI has developed a Sentinel Program Earned Value\nManagement (EVM) Capability Implementation Plan in which the FBI\nand the Sentinel vendor will be required to apply EVM practices to the\nproject. EVM is a process that coordinates work scope, schedule, and\ncost goals and objectively measures progress toward those goals. The\nSentinel Program Management Office will use the EVM plan to measure\nSentinel\xe2\x80\x99s performance and the performance of the vendor and will\nreport the results to oversight entities. As of December 2005, the FBI\nwas in the process of acquiring its EVM tool to track and manage\nSentinel. Until the tool is acquired, the plan outlines a methodology\nfor the FBI to obtain earned value measures through other\napplications. When acquired and implemented, the EVM tool should\nallow program managers to evaluate Sentinel project performance\nagainst baselines and identify potential problems with the project.\nDue to the importance of EVM in helping to detect problems in a\nproject\xe2\x80\x99s development, we will continue to monitor the FBI\xe2\x80\x99s\nimplementation of this process in our future audit work.\n\n\n\n\n       4\n          The FBI\xe2\x80\x99s Science and Technology Board provides the FBI Director with\nindependent advice on how the FBI can more effectively exploit and apply science\nand technology to improve its operations. Board members are not involved in\nspecific procurement actions or contracts but instead focus on identifying current and\nemerging technologies that can maximize how the FBI conducts investigations,\ncollects and disseminates intelligence, and collaborates with law enforcement and\nintelligence partners.\n\n\n                                          ix\n\x0cCapability Maturity Model Integration\n\n      The FBI\xe2\x80\x99s Statement of Work for the Sentinel project requires\nthat bidders obtain an independent appraisal certifying that their\nsystems development, software engineering, and integration processes\nare at a Level 3 or higher on the Carnegie-Mellon University\xe2\x80\x99s\nCapability Maturity Model Integration (CMMI) 5-level maturity scale.\nThis requirement covers all vendors and any subcontractors that will\ncontribute a minimum of 10 percent of the total Sentinel effort in\ndeveloping or integrating software. Sentinel\xe2\x80\x99s Statement of Work also\ngives the FBI the right to interview the lead appraiser who conducts\nthe assessment and obtain independent assessments during the\ndevelopment of the project to verify compliance with the appraised\nprocesses.\n\n      We believe that by requiring vendors to perform at a CMMI\nLevel 3, the FBI has reduced the risk of selecting vendors that are not\ncapable of completing the Sentinel project and integrating all four\nproject phases. Additionally, because the vendors will be\nindependently reviewed by a CMMI appraiser, the FBI has greater\nassurance that the processes the vendor will use to develop Sentinel\nfollow best industry practices. In our upcoming audit work, we plan to\nverify that the CMMI appraisal is conducted, review its results, and\nassess the appraiser\xe2\x80\x99s independence.\n\nEnterprise Architecture\n\n       Since 2000, the FBI has struggled to develop an Enterprise\nArchitecture to help manage its current and planned IT infrastructure\nand applications. The lack of a mature Enterprise Architecture was\none of the reasons for the troubled Trilogy project and the failure of\nthe VCF. However, over the past 5 years the FBI has made significant\nprogress in establishing its Enterprise Architecture. In March 2005,\nthe FBI completed an Enterprise Architecture report that provides a\nhigh-level snapshot of current FBI business processes and supporting\nIT structures and systems. The FBI has also defined its desired IT\ninfrastructure environment, or target architecture. In addition, the FBI\nhas completed an interim architecture report describing how Sentinel\nwill enhance the FBI\xe2\x80\x99s current IT capabilities. Like most federal\nagencies the FBI does not yet have a fully mature architecture, but the\nFBI\xe2\x80\x99s architecture now appears to be sufficiently mature to provide the\nrequired management structures and processes needed to guide the\nSentinel project and ensure its compatibility with the rest of the FBI\xe2\x80\x99s\nIT environment.\n\n\n                                   x\n\x0cContracting\n\n        The process to identify a contractor for the Sentinel project\nbegan in late June 2005, with the FBI providing information to\npotential bidders. In early August 2005, the FBI issued a Request for\nProposals (RFP). Initially, responses were due by September 19 and\nthe contract was to be awarded on November 15. However, because\nof technical questions arising from potential bidders, the FBI extended\nthe response date to September 26 and the award date to December\n31. As of February 2006, however, the contract had not been awarded\nand the FBI had not provided a revised award date. According to the\nSentinel program manager, the award date was postponed because\ninitial reviews by the source selection evaluation team identified a\nneed for additional data from the companies that submitted proposals.\nOnce the data is received, the source selection evaluation team will\ncomplete the formal review and present its results to the awarding\ncommittee. The program manager said an award date cannot be\ndetermined until the FBI receives and reviews the additional data.\n\n      The Sentinel development contract will be cost-plus-award-fee in\nwhich the vendor will be rewarded for meeting established goals in\nfour areas: project management, cost management, schedule, and\ntechnical performance. The award fee can not exceed 12 percent of\nthe total development costs for Sentinel and will be allocated across\nthe four areas based on the degree of risk agreed to by the FBI and\nthe vendor at the signing of the contract. This type of contract is\ncommon for large government IT projects. In our 2005 report on the\nFBI\xe2\x80\x99s Trilogy project, we stated our concerns with the cost-plus-award-\nfee contract as it was implemented by the FBI in that project. The\ncost-plus-award-fee contract used for Trilogy did not: (1) require\nspecific completion milestones, (2) include critical decision review\npoints, and (3) provide for penalties if the milestones were not met.\nHowever, the FBI\xe2\x80\x99s improved management processes and controls\nshould reduce the risk of such problems recurring for Sentinel because\nthe FBI intends to establish clear milestones, impose penalties for\nmissed milestones, and include critical decision review points.\n\n      To identify a prime contractor for Sentinel, the FBI used a\ncontracting vehicle provided through the National Institutes of Health\n(NIH), one of 16 government-wide acquisition contracts the FBI\nevaluated before narrowing the field to 5 suitable for a large IT project\nsuch as Sentinel. The FBI selected the NIH CIO Solutions Partners 2\nInnovations contracting vehicle because it had 37 prime contractors\n\n\n\n                                   xi\n\x0cand could provide a greater number of potential bidders and a greater\nopportunity for competition.\n\n      The FBI has closely guarded information about potential\ncontractors and costs as procurement sensitive, and has not informed\nthe OIG of the identities of the potential contractors. However, several\npublications have reported that two major defense contractors have\nbid on Sentinel.\n\n      According to the Sentinel program manager, as of February 2006\nthe FBI was evaluating the bids based on the following five factors:\n\n      \xe2\x80\xa2   Past performance on programs of similar size, scope,\n          technical complexity, and managerial complexity as Sentinel.\n\n      \xe2\x80\xa2   Technical approach regarding phased development and\n          application of off-the-shelf components.\n\n      \xe2\x80\xa2   Management approach to Sentinel\xe2\x80\x99s design, development,\n          integration and testing, deployment, and operations and\n          maintenance.\n\n      \xe2\x80\xa2   Security approach to personnel, infrastructure, and the\n          Sentinel lifecycle.\n\n      \xe2\x80\xa2   Cost, including reasonableness and completeness.\n\nFunding\n\n       Because this first OIG audit of Sentinel was focused on the FBI\xe2\x80\x99s\npre-acquisition planning, and given the procurement sensitive nature\nof cost information at this stage of the award process, the FBI did not\nprovide us with details regarding the estimated cost of the planned\nfour-phase Sentinel project. However, in response to a Senate\nAppropriations Committee inquiry in October 2005, the FBI estimated\nthat it would cost the government between $400 and $500 million to\ndevelop Sentinel. The FBI stated that the precise cost estimate will\nnot be disclosed until the FBI awards the contract, a decision which as\nmentioned previously has been postponed to early 2006. In our\nupcoming audit work, we plan to examine in detail the winning\nbidder\xe2\x80\x99s cost estimates.\n\n     The FBI has stated, however, that it plans to fund the first two\nphases of Sentinel by seeking congressional approval to reprogram FBI\n\n\n                                   xii\n\x0cfunds through two separate requests. According to the FBI\xe2\x80\x99s plan, the\nthird and fourth phases would be funded by appropriations.\n\n       In accord with this plan, in September 2005 the FBI requested a\n$97 million reprogramming of fiscal year (FY) 2005 funds for the first\nphase of Sentinel. Congress approved the reprogramming in mid-\nNovember 2005. According to the FBI\xe2\x80\x99s submission, more than $14\nmillion of the initial reprogramming will come from the\nCounterterrorism Division budget, $13 million from intelligence-related\nactivities, and $2 million from the Cyber Division.\n\n       We interviewed officials at FBI headquarters to assess the effect\nof this $97 million reprogramming on FBI operations. Generally, these\nofficials said their divisions and offices can withstand the diversion of\nfunds to Sentinel for the first reprogramming. However, we are\nconcerned that diverting substantial funds from such mission-critical\nareas could begin eroding the FBI\xe2\x80\x99s operational effectiveness, only to\nbe compounded by an anticipated second reprogramming.\n\n       Although the FBI divisions and offices seemed confident about\ntheir ability to absorb the initial reprogramming of funds to Sentinel,\nthey stated that a second reprogramming of the same magnitude\nwould damage their ability to fulfill their mission. According to the FBI\nCIO, the FBI intends to send another reprogramming request to\nCongress to fund the second phase of the Sentinel program in\nFY 2006.\n\n       The OIG plans to assess the operational impact of these\nreprogrammings in subsequent Sentinel audits to ensure the FBI\xe2\x80\x99s\ncritical missions are not adversely affected by the reprogramming of\nfunds to the Sentinel project.\n\nTraining\n\n       At the time of our audit in February 2006, the FBI had not yet\ndeveloped a training plan or complete cost estimates for Sentinel\ntraining. The FBI\xe2\x80\x99s first reprogramming request estimated $1.2 million\nfor training in the first phase, although the FBI recognized that total\ntraining costs over the life of the project will be substantially higher.\nConsequently, we recommend that the FBI develop a comprehensive\ntraining plan with more accurate cost estimates as soon as possible so\nthat complete training costs can be included in the overall Sentinel\nbudget.\n\n\n\n                                   xiii\n\x0cCost Tracking\n\n       In the Trilogy project, the FBI lacked an effective, reliable\nsystem to track and validate the contractors\xe2\x80\x99 costs. We highlighted\nthis concern in our February 2005 report on Trilogy and the VCF.\nAlthough the FBI stated during the current audit that it was evaluating\na tool to track project costs, we recommend that the FBI implement an\neffective method to track and control costs as soon as possible. We\nview the potential weaknesses in cost control over the Sentinel project\nas a significant project risk.\n\nInformation Sharing\n\n       According to the Sentinel requirements document, the FBI\xe2\x80\x99s\nability to share information not only internally but also with its law\nenforcement and intelligence community partners is an important\ndesign requirement for Sentinel. In addition, according to the Senior\nPolicy Advisor to the Department of Justice\xe2\x80\x99s CIO, through the\ninteragency Federal Investigative Case Management System (FICMS)\neffort, Sentinel is intended to provide the core elements of a case\nmanagement system that other law enforcement and intelligence\nagencies can adapt to meet their unique requirements. While the FBI\nhas considered its internal needs in developing Sentinel\xe2\x80\x99s\nrequirements, we are concerned that the FBI has not yet adequately\nexamined or discussed Sentinel\xe2\x80\x99s ability to connect with external\nsystems in other Department of Justice components, the Department\nof Homeland Security (DHS), and other intelligence community\nagencies. If such connectivity is not built into Sentinel\xe2\x80\x99s design, other\nagencies could be forced into costly and time-consuming modifications\nto their systems to allow information sharing with the Sentinel system.\n\n       The FBI CIO told us that the FBI invited representatives of the\nDHS, Drug Enforcement Administration (DEA), and Bureau of Alcohol,\nTobacco, Firearms and Explosives (ATF) to participate in the\ndevelopment of Sentinel\xe2\x80\x99s requirements. In addition, the CIO said the\nFBI has discussed Sentinel interface issues with the Office of\nManagement and Budget (OMB) and the Directorate of National\nIntelligence (DNI). We interviewed officials from the DHS, DEA, and\nATF concerning Sentinel. DHS officials told us that it reviewed the\nsystem requirements the FBI had already prepared, but that the DHS\ndid not participate in developing them. DHS officials said that the DHS\ndoes not have enough information at this stage of Sentinel\xe2\x80\x99s\ndevelopment to assess whether Sentinel and DHS systems will be able\nto share information or what will be required to achieve compatibility.\n\n\n                                   xiv\n\x0cAccording to a DHS official, the DHS hopes to \xe2\x80\x9cpiggyback\xe2\x80\x9d onto\nSentinel and use at least parts for its own investigative case\nmanagement system. In addition, the DHS said it plans to assign IT\nsubject-matter experts to the FBI to assist in advising on and\nmanaging Sentinel, but is not certain of the specific role the personnel\nwould play.\n\n      The DEA plans to deploy its own new case management system\nto DEA field offices in early 2006. According to the DEA\xe2\x80\x99s Deputy CIO,\nits new case management system is not compatible with Sentinel as\ncurrently designed. To address this incompatibility, DEA officials said\nthey plan to monitor Sentinel\xe2\x80\x99s development to identify any\nmodifications in the DEA system needed to achieve compatibility with\nSentinel.\n\n       The ATF said it had not reviewed the requirements for Sentinel\nand did not know at this early stage whether it would need to modify\nits systems to achieve compatibility.\n\nConclusions\n\n       In our judgment, the FBI has taken important steps to address\nits past mistakes with the VCF in planning for the development of\nSentinel. In reviewing the management processes and controls the\nFBI has applied to the pre-acquisition phase of Sentinel, we believe\nthat the FBI has adequately planned for the project and this planning\nprovides reasonable assurance that the FBI can successfully complete\nSentinel if the processes and controls are implemented as intended.\nHowever, we have several concerns about the project that we believe\nrequire action and continued monitoring by the FBI, the OIG, and\nother interested parties. These concerns include: (1) the incomplete\nstaffing of the PMO, (2) the FBI\xe2\x80\x99s ability to reprogram funds to\ncomplete the second phase of the project without jeopardizing its\nmission-critical operations, (3) Sentinel\xe2\x80\x99s ability to share information\nwith external intelligence and law enforcement agencies and provide a\ncommon framework for other agencies\xe2\x80\x99 case management systems,\n(4) the lack of an established EVM process, (5) the FBI\xe2\x80\x99s ability to\ntrack and control Sentinel\xe2\x80\x99s costs, and (6) the lack of complete\ndocumentation required by the FBI\xe2\x80\x99s ITIM processes.\n\n      The OIG will continue to monitor and periodically issue audit\nreports throughout the Sentinel project in an effort to track the FBI\xe2\x80\x99s\nprogress and identify any emerging concerns over the cost, schedule,\ntechnical, and performance aspects of the project.\n\n\n                                   xv\n\x0cOIG Recommendations\n\n      In this initial Sentinel audit, we make seven recommendations\nfor the FBI to help ensure the success of the Sentinel case\nmanagement system. The recommendations are:\n\n     \xe2\x80\xa2   Ensure that the system security and Independent Verification\n         and Validation plans are completed as soon as possible after\n         the contract is signed.\n\n     \xe2\x80\xa2   Ensure that the Sentinel Program Management Office is\n         staffed to a level that will support Sentinel\xe2\x80\x99s aggressive\n         delivery schedule.\n\n     \xe2\x80\xa2   Obtain a tool that will allow the effective implementation of an\n         Earned Value Management process and fully implement this\n         process.\n\n     \xe2\x80\xa2   Discuss with other intelligence community and law\n         enforcement agencies their information-sharing requirements\n         to ensure compatibility with those systems in the\n         requirements and design of Sentinel.\n\n     \xe2\x80\xa2   Ensure that an effective system is in place to accurately track\n         and control Sentinel\xe2\x80\x99s development costs.\n\n     \xe2\x80\xa2   Complete a comprehensive training plan with realistic\n         schedule and cost estimates and include the training cost\n         estimates in estimates of the overall project\xe2\x80\x99s costs.\n\n     \xe2\x80\xa2   Establish a method to monitor the operational impact of a\n         potential second reprogramming and identify any degrading\n         of the FBI\xe2\x80\x99s mission-critical functions due to the diversion of\n         funds to the Sentinel project.\n\n\n\n\n                                   xvi\n\x0c                              TABLE OF CONTENTS\n\n\nINTRODUCTION .......................................................................... 1\n     Background ....................................................................... 1\n     Sentinel............................................................................. 3\n     Sentinel\xe2\x80\x99s Phased Approach.................................................. 5\n     Prior Reports ...................................................................... 7\n\nFINDINGS AND RECOMMENDATIONS ........................................... 10\n     Planning the Development of Sentinel.................................. 10\n     Improved Management Processes and Controls ..................... 10\n     Management and Oversight................................................ 17\n     Enterprise Architecture ...................................................... 20\n     Risk Management ............................................................ 21\n     Leveraging the VCF for Sentinel .......................................... 24\n     Sentinel Cost and Funding.................................................. 24\n     Earned Value Management................................................. 27\n     Capability Maturity Model Integration .................................. 28\n     Contracting ...................................................................... 29\n     Information Sharing .......................................................... 33\n     Conclusion ....................................................................... 39\n     Recommendations ............................................................ 41\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 43\n\nSTATEMENT ON INTERNAL CONTROLS ......................................... 45\n\nAPPENDIX 1:          OBJECTIVES, SCOPE, AND METHODOLOGY ............ 46\n\nAPPENDIX 2:          ACRONYMS........................................................ 47\n\nAPPENDIX 3:          PRIOR REPORTS ON THE FBI\xe2\x80\x99S INFORMATION\n                     TECHNOLOGY .................................................... 48\n\nAPPENDIX 4:          FBI\xe2\x80\x99S LCMD IT SYSTEMS LIFE CYCLE ..................... 54\n\nAPPENDIX 5:          THE FBI LCMD KEY PROCESS AREAS ..................... 55\n\nAPPENDIX 6:          PMO STAFF POSITIONS AND RESPONSIBILITIES .... 58\n\nAPPENDIX 7:          THE FBI\xe2\x80\x99S RISK MITIGATION STRATEGY ................ 60\n\x0cAPPENDIX 8:    QUESTIONNAIRE USED TO DETERMINE THE MOST\n               VIABLE CONTRACT VEHICLE ................................ 62\n\nAPPENDIX 9:    GLOBAL JUSTICE XML DATA REFERENCE MODEL\n               AND NATIONAL INFORMATION EXCHANGE MODEL .. 65\n\nAPPENDIX 10:   THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S\n               RESPONSE TO THE DRAFT REPORT ....................... 67\n\nAPPENDIX 11:   OFFICE OF THE INSPECTOR GENERAL ANALYSIS\n               AND SUMMARY OF ACTIONS NECESSARY TO\n               CLOSE THE REPORT............................................ 70\n\x0c                           INTRODUCTION\n\nBackground\n\n       In testimony before the House Appropriations Committee on\nMarch 8, 2005, the Director of the Federal Bureau of Investigation\n(FBI) discussed the FBI\xe2\x80\x99s plan to develop and implement a state-of-\nthe-art case management system called Sentinel over 4 phases taking\nabout 42 months. The Sentinel project replaces the FBI\xe2\x80\x99s unsuccessful\nefforts over the previous 3 years to develop an automated case\nmanagement system called the Virtual Case File (VCF), which was\nintended to replace its obsolete Automated Case Support (ACS)\nsystem. Because of the FBI\xe2\x80\x99s failed $170 million VCF project,\ncongressional appropriations and oversight committees questioned\nwhether the FBI could successfully develop and implement a case\nmanagement system of Sentinel\xe2\x80\x99s magnitude.\n\n       Because of the importance of the Sentinel project, the\ncongressional appropriations committees and the FBI Director asked\nthe Department of Justice Office of the Inspector General (OIG) to\nmonitor and periodically report on the FBI\xe2\x80\x99s development of Sentinel.\nOver the past few years, the OIG and others have reviewed various\naspects of the FBI\xe2\x80\x99s information technology (IT) infrastructure and\ncited a critical need for the FBI to modernize its case management\nsystem. In previous reports, the OIG concluded that current FBI\nsystems do not permit agents, analysts, and managers to readily\naccess and share case-related information throughout the FBI, and\nwithout this capability, the FBI cannot perform its critical missions as\nefficiently and effectively as it should.\n\n       In its mission-needs statement for Sentinel, the FBI stated that\nits current case management system must be upgraded to utilize new\ninformation technologies by moving from a primarily paper-based case\nmanagement process to an electronic records system. The FBI noted\nthat this transition would enable agents and analysts to more\neffectively perform their investigative and intelligence duties.\n\n      The FBI\xe2\x80\x99s attempt to move from a paper-based to an electronic\ncase management system began with the Trilogy project in mid-2001.\nThe objectives of Trilogy were to update the FBI\xe2\x80\x99s aging and limited IT\ninfrastructure; provide needed IT applications for FBI agents, analysts,\nand others to efficiently and effectively do their jobs; and lay the\nfoundation for future IT improvements. Trilogy consisted of upgrading\nthe FBI\xe2\x80\x99s: (1) hardware and software; (2) communications network;\n\n\n                                    1\n\x0cand (3) the five most important investigative applications, including\nthe antiquated ACS. The first two components of Trilogy were\ncompleted in April 2004 at a cost of $337 million, almost $100 million\nmore than originally planned. Among other improvements, the FBI\nenhanced its IT infrastructure with new desktop computers for its\nemployees and deployed a wide area network to enhance electronic\ncommunication among FBI offices and with other law enforcement\norganizations. However, despite additional funding the FBI had\nreceived to accelerate Trilogy, these first two phases were not\ncompleted any faster than originally planned.\n\n      In early 2004, after nearly 3 years of development, the FBI\nengaged several external organizations and contractors to evaluate the\nVCF, the third prong of the Trilogy project. The National Research\nCouncil, in its May 2004 report, concluded that the VCF project was\nnot on a path to success because of: (1) inadequate contingency\nplanning for the transition from the existing case management system\nto a new one, (2) the absence of a completed enterprise architecture,\n(3) inadequate time allowed for testing, (4) weaknesses in contract\nmanagement, and (5) an inadequate IT human resources base. 5\n\n       In light of these conclusions, the FBI began to consider\nalternative approaches to developing the VCF, including terminating\nthe project or developing a completely new case management system.\nIn late 2004, the FBI commissioned Aerospace Corporation to perform\na trade study evaluating the functionality of commercial off-the-shelf\n(COTS) and government off-the-shelf (GOTS) technology to meet the\nFBI\xe2\x80\x99s case management needs. Aerospace followed this study with an\nIndependent Verification and Validation (IV&V) report on the VCF,\nissued in January 2005, which recommended that the FBI pursue a\nCOTS-based, service-oriented architecture. 6 The IV&V report\nconcluded that a lack of effective engineering discipline led to\ninadequate specification, design, and development of the VCF.\n\n      In late 2004, the FBI modified its approach to developing the\nVCF by dividing the project into Initial Operational Capability (IOC) and\nFull Operational Capability segments. The IOC segment assessed the\n\n       5\n           The National Research Council of the National Academies. A Review of the\nFBI\xe2\x80\x99s Trilogy Information Technology Program, May 2004.\n       6\n         A service-oriented architecture is a collection of services that communicate\nwith each other. The communication can involve a simple data exchange or two or\nmore services coordinating on an activity.\n\n\n\n                                          2\n\x0cVCF project and involved a pilot test of the most advanced version of\nVCF in an FBI field office. The Project Management Executive for the\nFBI\xe2\x80\x99s Office of Information Technology Program Management stated\nthat the results of the pilot validated that ending the VCF project was\nthe right decision.\n\n      The FBI issued a final report on the IOC at the end of April\n       7\n2005. According to the report, the FBI terminated work on the VCF\ndue to the lack of progress on its development. The FBI stated that it\nwas concerned that the computer code being used to develop the VCF\nlacked a modular structure, thereby making enhancements and\nmaintenance difficult. In addition, the FBI report said that the\n\xe2\x80\x9cmarketplace\xe2\x80\x9d had changed significantly since the VCF development\nhad begun, and appropriate COTS products, which were previously\nunavailable, were now available. In his March 2005 testimony before\nthe House Appropriations Committee, the FBI Director said the FBI\nwould apply lessons learned from the VCF to develop and deploy\nSentinel.\n\nSentinel\n\n      Similar to what the FBI had envisioned for the final version of\nthe VCF, Sentinel is intended to not only provide a new electronic case\nmanagement system, transitioning the FBI files from paper-based to\nelectronic records, but also to result in streamlined processes for\nagents to maintain investigative lead and case data. 8 In essence, the\nFBI expects Sentinel to be an integrated system supporting the\nprocessing, storage, and management of information to allow the FBI\nto more effectively perform its investigative and intelligence\noperations.\n\n      According to the FBI, the use of Sentinel in the future will\ndepend on the system\xe2\x80\x99s ability to be easily adapted to evolving\ninvestigative and intelligence business requirements over time.\nTherefore, the FBI intends to develop Sentinel using a flexible software\narchitecture that allows future changes to software components as\nneeded. According to the FBI, a key element of the Sentinel\narchitecture contributing to achieving this flexibility will be the use of\n\n       7\n          Department of Justice, Federal Bureau of Investigation. Federal Bureau of\nInvestigation: Virtual Case File Initial Operational Capability Final Report, version\n1.0, April 29, 2005.\n       8\n          A lead is a request from any FBI field office or headquarters for assistance\nin the investigation of a case.\n\n\n                                           3\n\x0cCOTS and GOTS applications software. The FBI intends to integrate\nthe off-the-shelf products with an Oracle database, thereby separating\nthe applications code from the underlying data being managed in order\nto simplify any future upgrades.\n\n       FBI agents are required to document investigative activity and\ninformation obtained during an investigation. The case file is the\ncentral system for holding these records and managing investigative\nresources. As a result, the case file includes documentation from the\ninception of a case to its conclusion. FBI agents and analysts create\npaper files in performing their work, making the process of adding a\ndocument to a case file a highly paper-intensive, manual process.\nFiles for major cases can contain over 100,000 documents, leads, and\nevidence items.\n\n        Currently, the documentation within case files is electronically\nmanaged through the ACS system. The ACS system maintains\nelectronic copies of most documents in the case file, providing\nreferences to those documents that exist in hardcopy only. Upon\napproval of a paper document, an electronic copy of the completed\ndocument is uploaded to the electronic case file of the ACS system.\nHowever, the ACS is a severely outdated system that is cumbersome\nto use effectively and does not facilitate the searching and sharing of\ninformation. For example, a former FBI project management\nexecutive testified before the Senate Judiciary Committee in July 2002\nthat \xe2\x80\x9cthere\xe2\x80\x99s no mouse, there\xe2\x80\x99s no icon, there\xe2\x80\x99s no year 2000 look to\nit, it\xe2\x80\x99s all very keyboard intensive.\xe2\x80\x9d The limited capabilities of the ACS\nand its lack of user-friendliness mean that agents and analysts cannot\neasily acquire and link information across the FBI.\n\n      In contrast, the FBI expects Sentinel to greatly enhance the\nusability of case files for agents and analysts, both in terms of adding\ninformation to case files as well as searching for case information. FBI\nsupervisors, reviewers, and others involved in the approval process\nalso will be able to review, comment, and approve the insertion of\ndocuments into appropriate FBI electronic case files through Sentinel.\n\n        In addition to enhancing the investigative capabilities within the\nFBI, Sentinel is intended to serve as the pilot project in the\ndevelopment of the Federal Investigative Case Management System\n(FICMS) framework as part of the e-government case management\nline of business. The FBI was named the lead agency for the FICMS\ninitiative, which, according to a June 2005 memorandum of\nunderstanding (MOU) signed by the FBI, DOJ, and DHS Chief\n\n\n                                     4\n\x0cInformation Officers (CIO), is intended to produce an architectural\nframework designed to: (1) bring federal law enforcement and\ninvestigative resources into a common electronic environment that\npromotes collaboration and optimum deployment of federal resources;\nand (2) create investigative case management solutions that provide\nstate-of-the-art capabilities to collect, share, and analyze information\nfrom internal and external sources and initiate appropriate\nenforcement responses. According to a Senior Policy Advisor to the\nDepartment\xe2\x80\x99s CIO, other federal agencies can use Sentinel\xe2\x80\x99s core\nsolution because of its standard set of case management tools and\nadaptability. Additionally, according to the FBI CIO, the Office of\nManagement and Budget (OMB) has begun to encourage other\nagencies to become involved with the development of Sentinel and its\ninterfaces in order to ensure future information sharing capability\namong all agencies.\n\nSentinel\xe2\x80\x99s Phased Approach\n\n       The FBI expects to develop the Sentinel project in 4 overlapping\nphases, each with a 12- to 18-month timeframe. For example, Phase\nII is anticipated to begin approximately 3 months after the start of\nPhase I. Each phase, when deployed, will result in a stand-alone set\nof capabilities that can be added to by subsequent phases to complete\nthe Sentinel project. The following chart shows the phases and\ngeneral timeframes for Sentinel, according to the FBI.\n\n\n\n\n                                   5\n\x0cSource: FBI\n\n       Phase I will introduce the Sentinel portal, which will provide\naccess to data from the existing ACS system and eventually, through\nincremental changes, support access to a newly created investigative\ncase management system. Phase I will also provide a case\nmanagement \xe2\x80\x9cworkbox\xe2\x80\x9d that will present a summary of all cases the\nuser is involved with, rather than requiring the user to perform a\nseries of queries to find the cases as is currently necessary with the\nACS. Additionally, the FBI will acquire software to identify persons,\nplaces, or things within the case files for automated indexing to allow\nthe files to be searchable by these categories. The FBI will also select\nthe core infrastructure components of the system in Phase I.\n\n     Phase II will provide case document management and a records\nmanagement repository. The second phase will begin the transition to\npaperless case records and the implementation of electronic records\nmanagement. A workflow tool will support the flow of electronic case\n\n\n                                   6\n\x0cdocuments through the review and approval cycles. A new security\nframework will be implemented to support access controls and\nelectronic signatures.\n\n       Phase III will replace the Universal Index (UNI), which is used to\ndetermine if a piece of information about a person, place, or thing\nexists within the FBI\xe2\x80\x99s current case management system. The UNI is a\ndatabase of persons, places, and things that have relevance to a case.\nWhile the current UNI supports only a limited number of attributes,\nPhase III will expand the number of attributes within the case\nmanagement system. Improving the attributes associated with the\nentities will allow more precise and comprehensive searching and\nincrease the ability to \xe2\x80\x9cconnect the dots\xe2\x80\x9d while performing casework.\n\n      Phase IV will implement Sentinel\xe2\x80\x99s new case management and\nreporting capabilities, and will consolidate the various case\nmanagement components into one overall system. At the end of this\nphase, the legacy systems will be shut down and the remaining cases\nin the legacy electronic case file will be migrated to the new case\nmanagement system. In this phase, as in all the others, changes to\nthe Sentinel portal will be required to accommodate the new features\nbeing introduced.\n\nPrior Reports\n\n      Over the past 3 years, several oversight entities have issued\nreports examining the FBI\xe2\x80\x99s attempts to update its case management\nsystem through the VCF. These reports the OIG, the Government\nAccountability Office (GAO), the House of Representatives\xe2\x80\x99 Surveys\nand Investigations Staff, the FBI, and other entities made a variety of\nrecommendations focusing on the FBI\xe2\x80\x99s management of the VCF\nproject and the continuing need to replace the outdated ACS system.\nA discussion of key points from these reports follows. (A more\ncomprehensive description of the reports appears in Appendix 3.)\n\n      In February 2005, the OIG reported on the critical need to\nreplace the ACS, finding that without an effective case management\nsystem the FBI remained significantly hampered due to the poor\nfunctionality and lack of information-sharing capabilities of its current\nIT systems. 9 The report concluded that the difficulties the FBI\n\n       9\n          Department of Justice, Office of the Inspector General. The Federal Bureau\nof Investigation\xe2\x80\x99s Management of the Trilogy Information Technology Management\nProject, Audit Report Number 05-07, February 2005.\n\n\n\n                                         7\n\x0cexperienced in replacing the ACS were attributable to: (1) poorly\ndefined and slowly evolving design requirements, (2) contracting\nweaknesses, (3) IT investment management weaknesses, (4) lack of\nan Enterprise Architecture, (5) lack of management continuity and\noversight, (6) unrealistic scheduling of tasks, (7) lack of adequate\nproject integration, and (8) inadequate resolution of issues raised in\nreports on Trilogy.\n\n      In April 2005, the House Appropriation Committee\xe2\x80\x99s Surveys and\nInvestigations staff similarly concluded in its report that: 10\n\n      \xe2\x80\xa2    VCF development suffered due to a lack of program\n           management expertise, disciplined systems engineering\n           practices, and contract management. The project also was\n           harmed by a high turnover of CIOs and program managers.\n\n      \xe2\x80\xa2    VCF development was negatively affected by the FBI\xe2\x80\x99s lack of\n           an empowered and centralized CIO office and sound business\n           processes by which IT projects are managed.\n\n      \xe2\x80\xa2    The FBI\xe2\x80\x99s decision to terminate VCF was related to\n           deficiencies in the VCF product delivered, failure of a pilot\n           project to meet user needs, and the new direction the FBI\n           planned to take for its case management system.\n\n      \xe2\x80\xa2    The FBI\xe2\x80\x99s IT program management business structure and\n           processes at the time of the report were, for the most part, in\n           place, although some of these processes needed to mature.\n\n      In September 2004, the GAO reported that although\nimprovements were under way and more were planned, the FBI did\nnot have an integrated plan for modernizing its IT system. 11 The GAO\nreported that each of the FBI\xe2\x80\x99s divisions and other organizational units\nthat manage IT projects performed integrated planning for its\nrespective IT projects. However, the plans did not provide a common,\nauthoritative, and integrated view of how IT investments will help\n\n      10\n          U.S. Congress, House of Representatives, House Surveys and\nInvestigations. A Report to the Committee on Appropriations, U.S. House of\nRepresentatives, April 2005.\n      11\n         U.S. Government Accountability Office. Information Technology:\nFoundational Steps Being Taken to Made Needed FBI Systems Modernization\nManagement Improvements, Report Number GAO 04-842, September 2004.\n\n\n\n                                        8\n\x0coptimize mission performance, and they did not consistently contain\nthe elements expected to be found in effective systems modernization\nplans. The GAO recommended that the FBI limit its near-term\ninvestments in IT systems until it developed an integrated systems\nand modernization plan and effective policies and procedures for\nsystems acquisition and investment management. Additionally, the\nGAO recommended that the FBI\xe2\x80\x99s CIO be provided with the\nresponsibility and authority to effectively manage IT FBI-wide.\n\n      We now turn to our findings from the OIG\xe2\x80\x99s first audit of the\nFBI\xe2\x80\x99s Sentinel program, which as noted above focused on the FBI\xe2\x80\x99s\npre-acquisition planning for Sentinel.\n\n\n\n\n                                   9\n\x0c                  FINDINGS AND RECOMMENDATIONS\n\nPLANNING THE DEVELOPMENT OF SENTINEL\n\n     The FBI has applied lessons learned from the Trilogy\n     project and failed VCF effort to the planning and\n     management of the Sentinel project. Specifically, the FBI\n     has made significant progress by developing Information\n     Technology Investment Management (ITIM) processes, a\n     more mature Enterprise Architecture, and other\n     management improvements since the Trilogy project\n     including establishing a Sentinel Program Management\n     Office (PMO). Despite these improvements, we have\n     several concerns about the project that require action and\n     continued monitoring: (1) the incomplete staffing of the\n     PMO, (2) the FBI\xe2\x80\x99s ability to reprogram funds to complete\n     the second phase of the project without jeopardizing its\n     mission-critical operations, (3) Sentinel\xe2\x80\x99s ability to share\n     information with external intelligence and law enforcement\n     agencies and provide a common framework for other\n     agencies\xe2\x80\x99 case management systems, (4) the lack of an\n     established Earned Value Management (EVM) process, (5)\n     the FBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs, and\n     (6) the lack of complete documentation required by the\n     FBI\xe2\x80\x99s ITIM processes.\n\nImproved Management Processes and Controls\n\n       In the early stages of the Trilogy project, the OIG and GAO\nrecommended that the FBI establish an ITIM process to guide the\ndevelopment of its IT investments. In response, the FBI instituted a\nLife Cycle Management Directive (LCMD) in 2004 while Trilogy was\nwell underway. The LCMD established policies and guidance applicable\nto all FBI IT programs and projects, including Sentinel. We believe the\nstructure and controls imposed by the LCMD can help prevent many of\nthe problems encountered with the failed development of the VCF.\n\n      The LCMD covers the entire IT system life cycle, including\nplanning, acquisition, development, testing, and operations and\nmaintenance. As a result, the LCMD provides the framework for\nstandardized, repeatable, and sustainable processes and best practices\nin developing IT systems. Application of the IT systems life cycle\nwithin the LCMD can also enhance guidance for IT programs and\nprojects, leverage technology, build institutional knowledge, and\n\n\n\n                                  10\n\x0censure that development is based on industry and government best\npractices.\n\n      The LCMD is comprised of four integrated components: life cycle\nphases, control gates, project level reviews, and key support\nprocesses. A diagram showing how these components relate to each\nother is found in Appendix 4.\n\n      According to the FBI CIO, since the inception of the LCMD all FBI\nIT programs and projects have been reviewed and managed according\nto the processes described in the LCMD. New IT programs and\nprojects have been managed under the LCMD from inception and will\ncontinue to be managed through retirement or replacement. Existing\nIT programs and projects were reviewed and placed within the\nrelevant life cycle phase according to their maturity and other factors.\n\nSystem Life Cycle Phases\n\n      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects. During\nthese phases, specific requirements must be met for the project to\nobtain the necessary FBI management approvals to proceed to the\nnext phase. The approvals occur through seven control gates, where\nmanagement boards meet to discuss and approve or disapprove a\nproject\xe2\x80\x99s progression to future phases of development,\nimplementation, or retirement. As of December 6, 2005, the Sentinel\nproject had passed through the first three of the nine phases and is\ncurrently in the fourth phase \xe2\x80\x93 Source Selection. The following table\nshows the nine phases of development, implementation, and\nretirement.\n\n\n\n\n                                   11\n\x0c                    FBI LCMD DEVELOPMENT PHASES\n\n   PHASE NAME                               DESCRIPTION\n\n1. Concept Exploration    Identifies the mission need, develops and\n                          evaluates alternate solutions, and develops the\n                          business plan.\n\n2. Requirements           Defines the operational, technical and test\n   Development            requirements, and initiates project planning.\n\n3. Acquisition Planning   Allocates the requirements among the\n                          development segments, researches and applies\n                          lessons learned from previous projects, identifies\n                          potential product and service providers, and\n                          identifies funding.\n\n4. Source Selection       Solicits and evaluates proposals and selects the\n                          product and service providers.\n\n5. Design                 Creates detailed designs for system components,\n                          products, and interfaces; establishes testing\n                          procedures for a system\xe2\x80\x99s individual components\n                          and products and for the testing of the entire\n                          system once completed.\n\n6. Development and        Produces and tests all system components,\n   Test                   assembles and tests all products, and plans for\n                          system testing.\n\n7. Implementation and     Executes functional, interface, system, and\n   Integration            integration testing; provides user training; and\n                          accepts and transitions the product to operations.\n\n8. Operations and         Maintains and supports the product, and manages\n   Maintenance            and implements necessary modifications.\n\n9. Disposal               Shuts down the system operations and arranges\n                          for the orderly disposition of system assets\n\nSource: FBI\n\nControl Gate Reviews\n\n       The seven control gate reviews provide management control and\ndirection, decision-making, coordination, confirmation of successful\n\n\n\n                                  12\n\x0cperformance of activities, and determination of a system\xe2\x80\x99s readiness to\nproceed to the next life cycle phase. Decisions made at each control\ngate review dictate the next step for the IT program or project and\nmay include: allowing an IT program or project to proceed to the next\nsegment or phase, directing rework before proceeding to the next\nsegment or phase, or terminating the IT program or project. The FBI\xe2\x80\x99s\nInvestment Management Project Review Board (IMPRB) \xe2\x80\x94 comprised\nof 12 representatives from each FBI division at the Assistant Director\nlevel and 4 representatives from the Office of the Chief Information\nOffice, including the CIO \xe2\x80\x94 is responsible for approving an IT project\xe2\x80\x99s\npassing through each control gate. The Sentinel project has been\napproved through the first two of the LCMD control gates: the system\nconcept on July 15, 2005, and the acquisition plan on July 29, 2005.\n\n     The following table shows the seven control gate reviews that\ngovern the approval of an IT project and the related LCMD phases.\n\n\n\n\n                                  13\n\x0c                    FBI LCMD CONTROL GATE REVIEWS\n\n GATE                                DESCRIPTION\n\nGate 1    System Concept Review approves the recommended system concept\n          of operations and occurs at the end of Phase 1 of LCMD.\n\nGate 2    Acquisition Plan Review approves the Systems Specification and\n          Interface Control documents as developed in Phase 2 and the\n          approach and resources required to acquire the system as defined in\n          the Acquisition Plan as developed in Phase 3.\n\nGate 3    Final Design Review approves the build-to and code-to documentation\n          and associated draft verification procedures. It also ensures that the\n          design presented can be produced and will meet its design-to\n          specification at verification. The gate review occurs after the\n          contractor is selected in Phase 4 and system design is completed in\n          Phase 5.\n\nGate 4    Deployment Readiness Review approves the readiness of the system\n          for deployment in the operational environment. The gate review\n          occurs after the system is developed and tested in Phase 6. Approval\n          through the Gate 4 signifies readiness for the system implementation.\n\nGate 5    System Test Readiness Review verifies readiness to perform an\n          official system-wide data gathering verification test for either\n          qualification or acceptance. The gate review occurs mid-way through\n          Phase 7.\n\nGate 6    Operational Acceptance Review approves overall system and product\n          validation by obtaining customer acceptance and determining\n          whether the operations and maintenance organization agrees to, and\n          has the ability to, support continuous operations of the system. The\n          gate review occurs at the end of Phase 7.\n\nGate 7    Disposal Review authorizes termination of the Operations and\n          Maintenance life cycle phase and disposes of system resources. The\n          gate review occurs at the end of Phase 8 and results in Phase 9.\n\n   Source: FBI\n\n         At each control gate, executive-level reviews determine system\n   readiness to proceed to the next phase of the IT systems life cycle.\n   Evidence of readiness is presented and discussed at each control gate\n   review in the form of deliverables, checklists, and documented\n   decisions. Regardless of the development model used for a particular\n\n\n                                     14\n\x0cprogram or project, all control gate reviews should be performed\nunless an agreement is made to skip or combine them. Depending\nupon the development model employed, programs or projects may\npass through the control gates more than once. Because Sentinel is\nbeing developed in phases, and the contractor must provide a system\ndesign for each phase, the project will pass through Control Gate 3\nfour times.\n\n      The control gate reviews also provide executive-level controls to\nensure that IT projects are adequately supported and reviewed before\na project receives additional funding. Five executive-level review\nboards serve as the decision authority for the control gate reviews.\n\n      \xe2\x80\xa2   The IMPRB leads the System Concept Review and the\n          Acquisition Plan Review (Control Gates 1 and 2) and ensures\n          that all IT acquisitions are aligned and comply with FBI\n          policies, strategic plans, and investment management\n          requirements.\n\n      \xe2\x80\xa2   The Technical Review Board leads the Final Design Review\n          (Control Gate 3) and ensures that IT systems comply with\n          technical requirements and meet FBI needs.\n\n      \xe2\x80\xa2   The Change Management Board leads the Deployment\n          Readiness Review, System Test Readiness Review,\n          Operational Acceptance Review and the Disposal Review\n          (Control Gates 4 through 7) and controls and manages\n          developmental and operational efforts that change the FBI\'s\n          operational IT environment.\n\n      \xe2\x80\xa2   The Enterprise Architecture Board ensures that IT systems\n          comply with Enterprise Architecture requirements.\n\n      \xe2\x80\xa2   The IT Policy Review Board establishes, coordinates,\n          maintains and oversees implementation of IT policies.\n\n      The Gate 2 approval for Sentinel on July 29, 2005, signified that\nthe IMPRB accepted the overall project approach and cost estimate for\nacquiring the Sentinel system. Our review of the approval documents\nshowed that the FBI generally complied with the requirements of the\nLCMD in performing the control gate reviews for Sentinel. However,\ntwo documents required by the LCMD had not been completed at the\ntime the control gate review was conducted because: (1) the system\nsecurity plan could not be developed since the vendor needs to provide\nthe project design details and, as of the date of the control gate\n\n\n                                   15\n\x0creview, the vendor had not been selected, and (2) the IV&V plan has\nto be carried out by a separate contractor to provide for an\nindependent control to assess the implementation of the system\naccording to technical and performance baselines. As of February\n2006, the FBI had not yet awarded the IV&V contract. The system\nsecurity plan will provide the detail necessary for the completion of\ncertification and accreditation of the applications being created for\nSentinel. The IV&V plan is, in our opinion, crucial to ensuring the\nsuccess of the Sentinel project. We will continue to monitor these two\nitems in our subsequent audit work, including whether the IV&V is\nbeing implemented by an independent contractor.\n\n        At the Gate 2 review, the IMPRB approved Sentinel prior to the\napproval of the acquisition plan. The OMB requires non-phased IT\nprojects to demonstrate funding for the entire project prior to the\nsigning of a contract. The FBI\xe2\x80\x99s LCMD incorporates this process for\nmost of its IT projects. However, because Sentinel is a multi-phased\nproject, the FBI has modified this part of the LCMD. According to the\nFBI, for Sentinel the FBI will identify funds for each phase of the\nproject prior to work being initiated for that phase rather than\nidentifying the funds for all four phases from the outset. The FBI will\nperform separate acquisition plan reviews for each phase prior to its\ninitiation, and each phase must receive Control Gate 2 approval before\nproceeding. We agree with this modification to the LCMD for Sentinel\nbecause it provides greater oversight of the project and requires a\ndistinct commitment of funds prior to the initiation of each phase.\n\n      Had such control gates and management reviews been in place\nduring the Trilogy project, many of the problems with that project\ncould have been avoided or identified earlier for corrective action.\n\nProject-Level Reviews\n\n       Project-level reviews help determine a project\xe2\x80\x99s readiness to\nproceed to the next phase of the project life cycle. Each project-level\nreview provides information to the executive-level control gates as\ndata is developed and milestones are completed. At the conclusion of\nour field work for this audit in December 2005, the FBI had conducted\ntwo project-level reviews for Sentinel:\n\n      \xe2\x80\xa2   The Mission-Needs Review is a technical progress review that\n          approves the set of mission goals that will be satisfied\n          through the project. The mission goals are documented in\n\n\n\n                                  16\n\x0c         the Mission Requirement and Concept of Operations\n         document.\n\n     \xe2\x80\xa2   The System Specification Review is a technical progress\n         review that approves the System Specification and External\n         Interface Control Documents. The review is the decision\n         point that determines whether to proceed with the\n         development of an Acquisition Plan, the allocation of system\n         requirements to segment specifications, and the development\n         of Project Plans that will execute the acquisition.\n\nKey Support Processes\n\n       The LCMD also contains 23 key support processes that provide\nadditional support to the development of projects within the FBI.\nWhile the key support processes are not developed for projects\nspecifically, these processes cover organization-wide management\nfunctions, and as a result the key support processes affect how\nindividual projects are managed. For example, one key support\nprocess is the FBI\xe2\x80\x99s Strategic Plan. For Sentinel, the Strategic Plan\ndefines the organizational need that Sentinel will address once it is\nimplemented. However the FBI\xe2\x80\x99s Strategic Plan was not created\nspecifically for Sentinel. Key process areas are performed\nindependently of the life cycle phases and the deliverables associated\nwith each key process are integrated into the control gate and project-\nlevel reviews where applicable. Appendix 5 lists the 23 key process\nareas.\n\nManagement and Oversight\n\n       Based on our review of planning documents and interviews with\nkey FBI personnel including the CIO, we believe that the FBI is\napplying more rigorous management controls and ITIM processes in\nplanning for Sentinel. Moreover, during the 3 years of Trilogy\xe2\x80\x99s\ndevelopment, the FBI had five different CIOs or acting CIOs. Since the\nstart of Sentinel\xe2\x80\x99s development, the FBI has had stability in the CIO\nposition. In addition, as a result of a July 2004 reorganization, the\nCIO\xe2\x80\x99s office has much greater authority over all FBI IT management\nand resources than it did in the pre-Sentinel era.\n\nSentinel Program Management Office\n\n      The PMO plays a critical role in assuring that the FBI implements\na case management system that meets its needs. The PMO\xe2\x80\x99s contract\nand program execution responsibilities include: (1) cost, schedule,\n\n\n                                  17\n\x0cand performance oversight; (2) LCMD project reviews; (3) award fee\nevaluations; (4) primary contractor\xe2\x80\x99s documentation review and\nacceptance; (5) requirements and risk management; and (6) budget\nand financial management. In light of these responsibilities, having a\nqualified, dedicated PMO staff focused on program execution is critical\nto the success of the Sentinel project.\n\n       Since the PMO\xe2\x80\x99s creation soon after the inception of the Sentinel\nproject, the FBI has made progress in staffing the office. As of\nJanuary 30, 2006, the PMO consisted of 51 of the 76 IT personnel\nidentified in the FBI\xe2\x80\x99s Sentinel Staffing Plan (67 percent) as required to\nproperly oversee the project. According to the FBI, the objective in\nstaffing the PMO is to form an integrated team of subject matter\nexperts from government, federally funded research and development\ncenters, and system engineers and technical assistance contractors to\nmaximize program expertise. 12 The Sentinel program manager told\nthe OIG that because of the pre-award spending caps placed on the\nprogram, it was premature to staff the entire PMO during the pre-\naward effort. As a result, he said the FBI is hiring essential program\nmanagement oversight personnel to ensure that the PMO is prepared\nto handle contract award activities. In addition, another FBI official\ntold us that delays in hiring PMO staff have resulted from the FBI\xe2\x80\x99s\nlengthy background investigation and clearance process. However,\ndue to the aggressive scheduling of Sentinel, it is critical for the FBI to\nfully staff the PMO office as soon as possible. In our opinion, the\nsignificant turnover of project management during the Trilogy project\n\xe2\x80\x94 15 different key IT managers over the course of its life, including 10\nindividuals serving as project managers for various aspects of Trilogy\n\xe2\x80\x94 was a major reason for Trilogy\xe2\x80\x99s problems. We believe that fully\nstaffing the Sentinel PMO before the project begins is key to\nestablishing the stable management staff required to properly oversee\nthe project.\n\n      The Sentinel program manager, on loan to the FBI from the\nCentral Intelligence Agency since November 2005, is experienced with\nlarge IT systems acquisitions and should provide strong leadership.\nHowever, he is detailed to the FBI for 2 years, with an option to\nextend for another year. As a result, he is expected to return to his\nhome agency before Sentinel is completed. When questioned about\nthe program manager\xe2\x80\x99s planned tenure, the FBI CIO said that a\n\n      12\n           Federally funded research and development centers are nonprofit\norganizations sponsored and funded by the U.S. government to assist government\nagencies with scientific research and analysis, systems development, and systems\nacquisition.\n\n\n                                       18\n\x0cpotential replacement will be assigned to work directly with the\nprogram manager in the event of the program manger\xe2\x80\x99s departure. In\naddition, the FBI said that it continues to build management depth in\nthe Sentinel PMO to ensure that each position has a trained backup to\nensure continuity.\n\n     In light of the likelihood of the program manager\xe2\x80\x99s return to the\nCIA before Sentinel is completed, we believe that the FBI needs to\nensure a seamless transition to a qualified successor.\n\n      Moreover, as discussed in our February 2005 report on Trilogy,\ngiven the turnover of key personnel during that effort and the resulting\nlack of continuity and oversight, it is important for the FBI to maximize\nleadership stability throughout the project, not only with respect to the\nprogram manager but also other key PMO positions.\n\n     The following table summarizes the PMO\xe2\x80\x99s staffing level as of\nJanuary 31, 2006.\n\n            SENTINEL PMO STAFFING REQUIREMENTS\n\n                                            Planned          Staff on\n      Organizational Units\n                                              Staff           Board\n      Program Leadership                       2                  2\n      Direct Reporting Staff                   8                  6\n      Organization Change\n                                               5                  2\n      Management Team\n      Business Management                      5                  4\n      Administrative Support                  11                  5\n      Program Integration                     10                 10\n      System Development                      23                 21\n      Transition                               9                  1\n      Operations &\n                                               3                  0\n      Maintenance\n        Total                                 76                 51\n       Source: The FBI\n       Notes: (a) The staffing requirement plan does not include individuals who\n       are on temporary duty assignment to the project.\n\n\n\n\n                                       19\n\x0cFor a more complete description of PMO staff and their duties, see\nAppendix 6.\n\n       Although we are concerned about the incomplete staffing of the\nPMO given its vital role in helping ensure the success of the Sentinel\nproject \xe2\x80\x94 particularly since project management was one of the major\nreasons for the VCF failure \xe2\x80\x94 the FBI has filled some of the more\ncritical PMO positions, such as program leadership, system engineers,\ncontracting officer, and business manager. The OIG will continue to\nmonitor the staffing of the PMO and the stability of the program\xe2\x80\x99s\nleadership in future audit reports to ensure that Sentinel has the\nneeded staff in place to help ensure its success.\n\nSentinel Oversight\n\n      In addition to its ITIM processes represented by the LCMD, the\nFBI has identified four external oversight or advisory entities in\naddition to the OIG and congressional committees that will provide\nfeedback on Sentinel\xe2\x80\x99s development: (1) the FBI\xe2\x80\x99s Science and\nTechnology Board, (2) RAND, (3) the Markle Foundation, and (4) a\nretired corporate chief technology officer to advise the FBI on areas of\ninformation sharing and privacy, IT strategic planning and\ninvestments, and management of large IT acquisitions. 13 The FBI also\nholds monthly meetings with representatives of the OMB and the\nDepartment \xe2\x80\x94 and weekly meetings with the FBI Director \xe2\x80\x94 to track\nSentinel\xe2\x80\x99s progress. We found that progress briefings during the VCF-\ndevelopment process proved ineffective. Therefore, we believe that\nvigorous reporting and analysis of Sentinel is needed to maintain\ntransparency over the project\xe2\x80\x99s progress and identify any problems\nencountered as Sentinel unfolds. Our future audits of Sentinel will\nexamine the extent and effectiveness of such project oversight.\n\nEnterprise Architecture\n\n       In its February 2005 audit report on the Trilogy project, the OIG\ncited the lack of an Enterprise Architecture as one of the reasons for\nthe failure of the VCF effort. Since then, the FBI has made progress in\n\n       13\n           The FBI\xe2\x80\x99s Science and Technology Board provides the Director with\nindependent advice on how the FBI can more effectively exploit and apply science\nand technology to improve its operations. Board members are not involved in\nspecific procurement actions or contracts but instead focus on identifying current and\nemerging technologies that can maximize how the FBI conducts investigations,\ncollects and disseminates intelligence, and collaborates with law enforcement and\nintelligence partners.\n\n\n                                         20\n\x0cestablishing an Enterprise Architecture to more effectively and\nefficiently manage its current and future IT infrastructure. In March\n2005, the FBI completed an Enterprise Architecture baseline report on\nthe status of its \xe2\x80\x9cas is\xe2\x80\x9d Enterprise Architecture activities. The purpose\nof the report was to provide a high-level snapshot of current FBI\nbusiness processes and supporting IT structures and systems. In May\n2005, the FBI issued a similar report on its \xe2\x80\x9cto be\xe2\x80\x9d architecture\nactivities and an interim architecture report showing how Sentinel will\nhelp the FBI in attaining the future IT environment outlined in the \xe2\x80\x9cto\nbe\xe2\x80\x9d architecture report. The FBI stated that while its Enterprise\nArchitecture continues to mature, it now provides a roadmap to help\nthe FBI more effectively develop systems that directly support its\nmission.\n\n      Currently, the FBI is in the approval process for its Enterprise\nArchitecture development methodology documentation, which will help\nensure that each FBI component follows the same set of guidelines\nwhen developing IT systems. If the FBI continues to use the new\nEnterprise Architecture documentation to drive its IT investments, it\nminimizes the risk of investing in IT that is duplicative, poorly\nintegrated, costly, or not supportive of the FBI\xe2\x80\x99s mission. The FBI still\nneeds to develop a transition plan, a step-by-step process to move\nfrom the current architecture to the target architecture. In addition to\nestablishing a fully mature Enterprise Architecture, the FBI must also\nbegin to use the Enterprise Architecture to drive its IT investments. In\nour opinion, the FBI\xe2\x80\x99s lack of a fully mature Enterprise Architecture,\nwhich few federal agencies have achieved, should not prevent the\nSentinel project from going forward.\n\nRisk Management\n\n       The FBI has instituted a risk management process to identify and\nmitigate the risks associated with the Sentinel project. The Sentinel IT\nrisk process is managed by the Sentinel program manager and a Risk\nReview Board. While Risk Review Board meetings have been held\nbiweekly during the pre-acquisition phase, the FBI plans to hold\nweekly meetings once the Sentinel contract is awarded. The most\nsignificant risks identified by the board are examined at monthly\nProgram Management Review sessions and other Sentinel oversight\nmeetings in accordance with the LCMD.\n\n      The purpose of risk management is to assist the program\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\n\n\n                                   21\n\x0cprogram. A risk management plan identifies the procedures used to\nmanage risk throughout the life of the program. In addition to\ndocumenting the risk approach, the plan focuses on how the risk\nprocess is to be implemented; the roles and responsibilities of the\nprogram manager, program team, and development contractors for\nmanaging risk; how risks are to be tracked throughout the program\nlife cycle; and how mitigation and contingency plans are implemented.\n\n       Program risks include risks that are identified and managed by\nthe development contractor as well as risks that can only be identified\nand managed by the FBI. This requires that risk management be\nperformed by the vendor and subcontractors to identify risks from the\ncontractor perspective, and by the FBI program management team to\nidentify risks from the FBI\xe2\x80\x99s perspective.\n\n       According to Sentinel Risk Management Plan, Sentinel risks are\nto be identified, assessed, and tracked throughout the life of the\nprogram. The PMO is responsible for reviewing new or \xe2\x80\x9cproposed\xe2\x80\x9d\nrisks to determine if the items should be accepted as an \xe2\x80\x9copen\xe2\x80\x9d risk.\nOpen, or unresolved, risks are supposed to be analyzed, updated, and\nassigned impact and severity ratings by each voting board member.\nThe program manager ranks the risks so that the highest priority risks\nget immediate attention. The PMO has the responsibility to track and\nperiodically review risks that are closed or resolved to prevent\nrecurrence and to document the effectiveness and any unintended\nconsequences of the mitigation strategy employed.\n\n      In the initial Concept Exploration Phase of the life cycle, the PMO\ndeveloped a mission-needs statement that identified the following five\npotential areas of risk in the Sentinel project.\n\n      \xe2\x80\xa2   User Acceptance \xe2\x80\x94 Ensuring user friendliness, identifying\n          possible performance problems, and addressing the cultural\n          change employees will face in redefining their business\n          processes are important considerations.\n\n      \xe2\x80\xa2   Comprehensive Implementation Plan \xe2\x80\x94 The implementation\n          plan needs to balance infrastructure requirements against\n          operational functionality, assess operational impacts in a\n          timely manner, and plan for training.\n\n      \xe2\x80\xa2   System Capacity and Performance \xe2\x80\x94 Increases in workload\n          resulting from a greatly improved ability to import documents\n          may erode system performance. Additionally, an increased\n\n\n                                   22\n\x0c           demand for interoperability with other new systems may also\n           degrade performance.\n\n      \xe2\x80\xa2    Data Migration \xe2\x80\x94 The legacy systems are known to have data\n           integrity problems, including missing data fields. A\n           comprehensive data migration strategy must address the\n           scope of data to be converted to ensure performance and\n           analysis expectations are met.\n\n      \xe2\x80\xa2    Infrastructure Support \xe2\x80\x94 Sentinel will be hosted on the\n           Trilogy Transportation Network Component and will be\n           supported by the Enterprise Operations Center and Enterprise\n           Security Operations Center. Inadequate support from these\n           centers would greatly affect user acceptance of the system. 14\n\n       In addition, the acquisition plan created in the planning phase of\nthe life cycle identified the following risks for the Sentinel project:\n\n      \xe2\x80\xa2    Several parallel IT initiatives within the FBI can affect the\n           scope of Sentinel.\n\n      \xe2\x80\xa2    The project award schedule is very aggressive and the target\n           award date may not be attainable.\n\n      \xe2\x80\xa2    Sentinel increments must interface with numerous legacy\n           systems operated outside the Office of the CIO.\n\n      \xe2\x80\xa2    The FBI mission may evolve or user requirements may\n           change prior to system completion, resulting in scope creep.\n\n      \xe2\x80\xa2    Initial project costs may be underestimated.\n\n      \xe2\x80\xa2    Staffing resources (prime and subcontractors) that meet FBI\n           requirements may not be available when needed.\n\n      \xe2\x80\xa2    The development contractor may be unable to meet the\n           proposed notional schedule.\n\n       The plan also considered consequences for each risk area and\noffered mitigation plans. We agree with the risks the FBI has\nidentified. However, the FBI\xe2\x80\x99s mitigation plans, along with its LCMD\n      14\n          The Trilogy Transportation Network Component is composed of high-speed\nconnections linking FBI offices.\n\n\n\n                                      23\n\x0cprocesses and other controls, if followed, will reduce the potential\neffects of each risk. A detailed listing of each risk and the FBI\xe2\x80\x99s\nmitigation strategy is outlined in Appendix 7.\n\nLeveraging the VCF for Sentinel\n\n       In his February 2005 congressional testimony, the FBI Director\ncited a loss of $104.5 million out of the $170 million spent on the 3-\nyear VCF development effort. However, during the current audit we\nwere unable to determine how much of the VCF investment the FBI\nwas able to transfer to the Sentinel project. 15 The FBI did not\nmaintain records identifying or estimating the cost of any VCF products\nthat can be incorporated into Sentinel. According to independent\nevaluations of the VCF product by Aerospace Corporation, the code\nused for developing the VCF was inadequate and therefore should not\nbe useful for Sentinel. Further, the FBI intends to maximize the use of\noff-the-shelf products for Sentinel. Although the FBI likely applied\nlessons learned from the VCF effort, including a better understanding\nof what features it wanted in a case management system, we were\nunable to quantify what, if anything, was transferable from the VCF to\nSentinel. One FBI system engineer said he thought that as much as\n40 percent of the VCF specifications would apply to Sentinel, but he\nwas uncertain and had no documentation to support his estimate.\nAnother FBI official explained that a limited amount of hardware left\nover from the VCF effort was used by the FBI for purposes other than\nSentinel. The only clear-cut transfer from the VCF was $3,542,000 in\nfiscal year (FY) 2004-2005 funding that has been redirected to\nSentinel.\n\nSentinel Cost and Funding\n\n      Because this first Sentinel audit focused on the FBI\xe2\x80\x99s pre-\nacquisition planning, and given the procurement sensitive nature of\nthe information, the FBI did not disclose to the OIG the estimated cost\nof the planned four-phase Sentinel project. However, in response to a\nSenate Appropriations Committee inquiry in October 2005, the FBI\nestimated that it would cost between $400 and $500 million to develop\nSentinel. According to the Sentinel program manager, the precise cost\nestimate will not be known until the FBI awards the contract, which\n\n\n\n      15\n           The hardware and communications infrastructure deployed as a part of\nTrilogy will be used by Sentinel.\n\n\n\n                                        24\n\x0chas been postponed to early 2006. 16 Our next audit will examine in\ndetail the winning bidder\xe2\x80\x99s cost estimates.\n\n      According to the FBI\xe2\x80\x99s Deputy Assistant Director of Finance,\nduring the summer of 2005 the FBI met with representatives from the\nDepartment of Justice and the OMB to discuss options to fund the\nproject. In the end, the FBI decided to seek funding for Sentinel using\nboth reprogrammed and appropriated funds: the first two phases\nwould be funded using FBI funds reprogrammed from other projects\nand operations and the third and fourth phases would be funded using\nappropriated funds.\n\nReprogramming Request\n\n       According to an FBI official, the OMB required the FBI to identify\nthe funding for each phase of Sentinel before work on that phase could\nbegin. As a result, on September 27, 2005, the FBI submitted a $97\nmillion reprogramming request to Congress for the first phase of\nSentinel. Congress approved the request on November 15, 2005.\nThe FBI\xe2\x80\x99s reprogramming request did not offer sufficient detail for us\nto render a detailed opinion on the specific amount of the request.\nYet, because of the FBI\xe2\x80\x99s extreme need for a new case management\nsystem, this initial reprogramming request appears reasonable, and in\nour judgment, the Sentinel program should move forward.\n\n       The FBI currently is developing a second reprogramming request\nto fund the second phase of Sentinel at an amount which we believe\nwill be similar to the first request \xe2\x80\x94 approximately $100 million. The\nsize of the appropriations the FBI expects to seek from Congress to\ncomplete the third and fourth phases of the Sentinel program are\nunknown to us, as are the funds that will be needed to operate and\nmaintain the program on an ongoing basis. The FBI has agreed to\nprovide a more precise cost estimate for the remainder of the project\nafter the Sentinel contract is awarded.\n\n       With regard to training, the FBI\xe2\x80\x99s initial $97 million\nreprogramming request includes $1.2 million in training costs in the\nfirst phase of the Sentinel program. However, the FBI has not yet\ndeveloped a comprehensive training plan for Sentinel or an estimate\nfor its full training costs. In our judgment, training costs over the life\nof the project will be substantial.\n      16\n         According to the FBI, the contract award was postponed because the FBI\nneeded additional information from the bidders.\n\n\n\n                                       25\n\x0c      The reprogramming request also cites approximately $10 million\nas management reserve. In our judgment, maintaining a\nmanagement reserve is a prudent practice given the uncertainties of\ndeveloping a new IT system. However, when attempting to calculate\nthe amount of the management reserve required for a major IT\nproject, an organization should consider the degree of risk associated\nwith the project and use Earned Value Management (EVM) tools to\nquantify the effect on the project should the potential risk materialize.\nWe do not have enough information at this time to evaluate the\nadequacy of the FBI\xe2\x80\x99s proposed reserve for the first phase of Sentinel\nor what amount of reserve might be required over the life of the entire\nprogram. As the project progresses, the FBI must continue to monitor\nand reassess the level of the reserve fund.\n\n       According to the FBI, more than $14 million of the initial\nreprogramming will come from the Counterterrorism Division budget,\n$13 million from intelligence-related activities, and $2 million from the\nCyber Division. We interviewed officials at FBI headquarters to assess\nthe effect of the $97 million reprogramming on FBI operations.\nGenerally, these officials said their divisions and offices can withstand\nthe diversion of funds to Sentinel for the first reprogramming.\nHowever, we are concerned that diverting substantial funds from such\nmission-critical areas could begin eroding the FBI\xe2\x80\x99s operational\neffectiveness, only to be compounded by an anticipated second\nreprogramming.\n\n       Although most FBI divisions and offices seemed confident about\ntheir ability to absorb the initial reprogramming of funds to Sentinel,\nthey stated that a second reprogramming of the same magnitude\nwould damage their ability to fulfill their mission. According to FBI\nCIO, the FBI intends to send another reprogramming request to\nCongress to fund the second phase of the Sentinel program in\nFY 2006.\n\n      The OIG plans to assess the operational impact of these\nreprogrammings in subsequent Sentinel audits to assess whether the\nFBI\xe2\x80\x99s critical missions are adversely affected while the FBI also seeks\nto provide its employees with a case management system that will\nhelp them do their jobs more effectively and efficiently.\n\n\nCost Tracking and Control\n\n\n\n                                   26\n\x0c       In the Trilogy project, the FBI lacked an effective, reliable\nsystem to track and validate the contractors\xe2\x80\x99 costs. We highlighted\nthis concern in our February 2005 report on Trilogy and the VCF.\nFurther, in February 2006 draft report, the GAO stated its preliminary\nfinding that the FBI\xe2\x80\x99s poor cost controls resulted in the payment of\nabout $10 million in questionable contractor costs. 17 Although the FBI\nstated that it is evaluating a tool to track Sentinel project costs, we\nview the potential weaknesses in cost control as a project risk.\n\nEarned Value Management\n\n      One approach to achieving reliable program cost estimates,\nevaluating current progress, and analyzing schedule and cost\nperformance trends is to employ the discipline of EVM. EVM enables\nproject teams to report progress to program managers to evaluate\nperformance against initial baselines. In essence, EVM is a method of\nimposing accountability on a project and exposing potential problems\nwhile there is still time to fix them.\n\n      In a memorandum dated August 4, 2005, the OMB required\nfederal CIOs to manage and measure all major IT projects to within 10\npercent of baseline goals by using an EVM system. The OMB required\neach agency to develop agency policies for full implementation of EVM\non IT projects by December 31, 2005. In August 2005, the FBI\ndeveloped a Sentinel Program EVM Capability Implementation Plan\nwhich, in our judgment, satisfied the OMB requirement for the project.\n\n     According to the plan, the Sentinel PMO will use the plan to\nmeasure its earned value performance, and the performance of the\nvendor, and report the result to oversight entities. The Statement of\nWork requires that Sentinel\xe2\x80\x99s vendor and its contractors implement\nEVM in accordance with the plan.\n\n      According to the FBI, it has evaluated several tools to track and\nmanage EVM results. The evaluation consisted of examining technical\nand functional capabilities of the tools, learning about the\nrequirements for the associated system environment, reviewing\nimplementation methodologies and training materials, evaluating tool\nacquisition and installation costs, and viewing demonstration sessions\n\n\n\n      17\n          U.S. Government Accountability Office. (DRAFT) Federal Bureau of\nInvestigation: Weak Controls over Trilogy Project Led to Payment of Questionable\nContractor Costs and Missing Assets, Report Number GAO-06-306, February 2006.\n\n\n                                       27\n\x0cof potential tools. As a result of this review, the FBI intends to use the\nfollowing tools to track and manage Sentinel in the short term.\n\n      \xe2\x80\xa2   Program schedules, including milestones, will be developed\n          and maintained using the existing Microsoft Project 2003\n          software.\n\n      \xe2\x80\xa2   Program risks will be documented and managed using the\n          Risk Register software suite developed and maintained by the\n          FBI Office of IT Planning and Policy.\n\n      \xe2\x80\xa2   Budgets will be prepared and managed using Microsoft Office\n          Professional software resident in the FBI\xe2\x80\x99s Trilogy software\n          suite.\n\n       In the long term, the FBI expects that its EVM performance\nmetrics will be developed, maintained, and reported using M\xc3\xa9tier\xe2\x80\x99s\nWorkLenz software suite. The FBI is acquiring the software but will\nneed to complete security certification and accreditation for the\nsoftware to be certified for use on FBI systems. According to the FBI,\nfull implementation and execution of the EVM capabilities for the\nSentinel project are scheduled to be completed after the Integrated\nBaseline Review occurs approximately 2 months after the award of the\nSentinel contract. Based on our initial review, the FBI\xe2\x80\x99s EVM strategy\nappears adequate. We will monitor the FBI\xe2\x80\x99s implementation of EVM in\nfuture audits.\n\nCapability Maturity Model Integration\n\n      The FBI\xe2\x80\x99s Statement of Work for the Sentinel project requires\nthat bidders obtain an independent appraisal certifying that their\nsystems development, software engineering, and integration processes\nare at a Level 3 or higher on the Carnegie-Mellon University\xe2\x80\x99s\nCapability Maturity Model Integration (CMMI) 5-level maturity scale.\nThis requirement includes all vendors and any subcontractor that will\ncontribute a minimum of 10 percent of the total Sentinel effort in\ndeveloping or integrating software. Sentinel\xe2\x80\x99s Statement of Work also\ngives the FBI the right to interview the lead appraiser who conducted\nthe assessment and to conduct independent assessments during the\ndevelopment of the project to verify compliance with the appraised\nprocesses.\n\n      We believe that by requiring the vendor to perform at a CMMI\nLevel 3, the FBI reduces the risk of selecting a vendor that is not\n\n\n                                   28\n\x0ccapable of completing the Sentinel project and integrating all four\nproject phases. Additionally, because the vendor will be independently\nreviewed by a CMMI appraiser, the FBI has assurance that the\nprocesses the vendor will use to develop Sentinel are rated favorably\nin relation to best industry practices. In our upcoming audit work, we\nplan to verify that the appraisal was conducted, review its results,\nvalidate the appraiser\xe2\x80\x99s independence, and review the results of the\nappraisal.\n\nContracting\n\n      In selecting the appropriate contract type for the development of\nSentinel, the FBI originally identified 16 Government-wide Acquisition\nContracts (GWAC) that were suitable for a project as extensive as\nSentinel. The FBI eliminated 11 of the 16 GWACs as inappropriate\nvehicles for Sentinel because the contract vehicle\xe2\x80\x99s task scope was\ninadequate, task-order cost reimbursement was not allowed, or the\ncontractors available through the GWAC lacked the expertise needed\nfor the project. The FBI further analyzed the other five GWACs to\ndetermine which were the most suitable for the project. The analysis\nincluded a 29-item questionnaire with 6 discriminator areas. 18 The\ndiscriminator areas are listed below.\n\n     \xe2\x80\xa2    FBI Audit Capability \xe2\x80\x94 The FBI believed that its ability to\n          audit the contractor\xe2\x80\x99s financial records would be critical to\n          determine invoice accuracy and program progress.\n\n     \xe2\x80\xa2    Use of FBI Contracting Officer Post Award Administration \xe2\x80\x94\n          The FBI wanted to ensure that the contracting vehicle would\n          allow the FBI to manage the contract using the FBI\n          Contracting Officer.\n\n     \xe2\x80\xa2    Number of Prime Contractors on the GWAC \xe2\x80\x94 The FBI\n          believed that the more prime contractors available on the\n          GWAC the greater the possibility of selecting the most\n          qualified contractor.\n\n     \xe2\x80\xa2    Period of Performance Limitations \xe2\x80\x94 The FBI wanted to\n          ensure that the GWAC would not expire before the completion\n          of the Sentinel project.\n\n\n     18\n          See Appendix 8 for a list of 29 items from the questionnaire.\n\n\n\n                                         29\n\x0c      \xe2\x80\xa2    Ability to Add Subcontractors \xe2\x80\x94 The FBI wanted to ensure\n           that the prime contractor\xe2\x80\x99s ability to add a new or specialized\n           subcontractor to resolve unique problems would not be\n           affected by GWAC constraints.\n\n      \xe2\x80\xa2    Interagency Fee Structure \xe2\x80\x94 The FBI wanted to ensure that\n           interagency fee charged by the GWAC for use of its contract\n           vehicle was reasonable.\n\n      Based on the information obtained from the questionnaires, the\nFBI eliminated two of the remaining five GWACs for two reasons:\n(1) the GWAC did not allow direct order, and (2) the GWAC may not\nsupport the acquisition strategy of having all task orders awarded by\nJanuary 2006 and be of no more than five years in duration. 19 From\nthe other three GWACs, the FBI chose the National Institute of\nHealth\xe2\x80\x99s (NIH) Chief Information Officer\xe2\x80\x93Solutions Partners 2\nInnovations (CIO-SP2i) contract vehicle because it gave the FBI the\ngreatest flexibility and included 37 potential bidders.\n\n      The Federal Acquisition Regulations (FAR) \xc2\xa7 15.201 encourages\nagencies to promote early exchanges of information prior to the\nrelease of the Request for Proposals (RFP). The purpose of exchanging\ninformation is to improve the understanding of government\nrequirements and industry capabilities, thereby allowing potential\nbidders to judge whether or how they can satisfy the government\'s\nrequirements. An early exchange of information can identify and\nresolve concerns regarding: the acquisition strategy, including the\nproposed contract type; terms and conditions; acquisition planning\nschedules; requirements; statements of work; data requirements; and\nany other industry concerns or questions. The FAR also identifies\ntechniques to promote early exchanges of information, including\nindustry or small business conferences, public hearings, market\nresearch, and one-on-one meetings with potential bidders.\n\n      On June 27, 2005, the FBI held an Industry Day to exchange\ninformation with potential bidders. All NIH CIO-SP2i contractors were\ninvited to participate. According to the FBI, the potential contract\nbidders attending the session submitted both contractual and technical\nquestions. However, the FBI would not provide these questions for\nour review because they were deemed procurement sensitive.\n\n\n\n      19\n          Direct order allows the agency, not the GWAC, to issue and manage the\ntask orders associated with the contract.\n\n\n                                       30\n\x0c      On August 5, 2005, the FBI issued an RFP with responses due by\nSeptember 19 and a contract award date of November 15. According\nto FBI officials, the due date for the proposals was extended one week\nto September 26, 2005, because vendors needed more time to\ncomplete the technical, management, and cost sections of the\nproposal. Subsequently, the contract award date was rescheduled for\nDecember 31, 2005, and later postponed again to an unspecified date\nin 2006. The FBI said that the source selection evaluation team,\nduring its initial review of the proposals, identified the need for\nadditional data from the bidders. As a result, the FBI said it will not\nestablish a new contract award date until the source selection\nevaluation team receives and reviews the additional data.\n\n      According to the FAR \xc2\xa7 15.203, RFPs for competitive acquisitions\nshould state the government\'s requirements, anticipated terms and\nconditions that apply to the contract, information required in the\nbidder\xe2\x80\x99s proposal, and factors that will be used to evaluate the\nproposal. To meet this requirement, the Sentinel RFP contained the\nfollowing documents.\n\n      \xe2\x80\xa2   System Requirements Specification \xe2\x80\x94 This document outlined\n          the specific requirements that the Sentinel system will satisfy.\n\n      \xe2\x80\xa2   Statement of Work \xe2\x80\x94 This document described the FBI\xe2\x80\x99s\n          requirements for Sentinel.\n\n      \xe2\x80\xa2   Proposal Preparation Instructions \xe2\x80\x94 This document provided\n          instructions on how proposals should be prepared and\n          submitted. It also included limited terms and conditions that\n          will apply to the contract, including the award fee structure.\n\n      \xe2\x80\xa2   Evaluation Criteria \xe2\x80\x94 This document was a part of the\n          Sentinel Statement of Work and described the factors to be\n          used in evaluating each proposal.\n\nBased on the above, in our judgment the FBI issued the Sentinel RFP\nin accordance with the FAR requirements. While delays have occurred\nin awarding a contract for Sentinel, we believe it better for the FBI to\ntake a reasonable amount of time at the outset of the project to\nensure that the bidders fully understand the FBI\xe2\x80\x99s needs, system\nspecifications, and expectations.\n\n      According to Sentinel program manager, The FBI is evaluating\nthe proposals based on the following criteria.\n\n\n                                    31\n\x0c      \xe2\x80\xa2   Past Performance \xe2\x80\x94 This item examines the quality of the\n          bidder\xe2\x80\x99s past performance on programs that are similar in\n          size, scope, and technological and managerial complexity to\n          the Sentinel program. Specifically, the FBI is evaluating the\n          bidder\xe2\x80\x99s technical and management performance and a\n          functional system the bidder developed.\n\n      \xe2\x80\xa2   Technical Approach \xe2\x80\x94 This item examines the quality of the\n          bidder\xe2\x80\x99s phased development approach and the sufficiency of\n          the proposed off-the-shelf selection approach.\n\n      \xe2\x80\xa2   Management Approach \xe2\x80\x94 This item examines the bidder\xe2\x80\x99s\n          proposed management approach for executing Sentinel\xe2\x80\x99s\n          design, development, integration and testing, deployment,\n          and operations and maintenance.\n\n      \xe2\x80\xa2   Security Approach \xe2\x80\x94 This item examines the bidder\xe2\x80\x99s\n          proposed approach to meeting the Sentinel security\n          requirements including personnel, infrastructure, and lifecycle\n          security.\n\n      \xe2\x80\xa2   Cost \xe2\x80\x94 This item examines the realism, reasonableness, and\n          completeness of the bidder\xe2\x80\x99s proposed cost.\n\n      The FBI solicited assistance from federally funded research and\ndevelopment centers and other organizations for administrative,\ntechnical, and cost analysis support during source selection. These\ncompanies were also used as advisors in the evaluation of the\nproposals. However, the FBI retained the responsibility for selecting\nthe contractor.\n\n       At the end of source selection, the FBI intends to award a cost-\nplus-award-fee task order contract to develop the Sentinel system. A\ncost-plus-award-fee contract provides an estimated cost plus a fee\nconsisting of a base amount fixed at inception of the contract and an\naward amount. The award amount is a pool of dollars available to the\nvendor to earn based on performance. The government makes the\naward fee determination based on periodic evaluations of vendor\nperformance. One important aspect of a cost-plus-award-fee contract\nis that the award fee amount must be sufficient to motivate the\nvendor\xe2\x80\x99s performance. According to the Sentinel Award Fee Plan, the\nFBI anticipates capping the overall contract award amount for the\ndevelopment of Sentinel at 12 percent of development costs.\n\n\n                                   32\n\x0c      This type of contract is common for large government IT\nprojects. In our 2005 report on Trilogy, we stated our concerns with\nthe cost-plus-award-fee contract as it was implemented by the FBI in\nthat project. The cost-plus-award-fee contract used for Trilogy did\nnot: (1) require specific completion milestones, (2) include critical\ndecision review points, and (3) provide for penalties if the milestones\nwere not met. However, the FBI\xe2\x80\x99s improved management processes\nand controls should minimize the risk of such problems recurring for\nSentinel since the FBI intends to establish clear milestones, penalties\nfor not meeting milestones, and critical decision review points.\n\nInformation Sharing\n\n       Executive Order 13356 requires that federal agencies design\ninformation systems with priority given to the interchange of terrorism\ninformation among agencies. Although the FBI has planned\nextensively for information to be shared among its divisions and\noffices, we found that it has expended little effort in assessing\ninformation sharing needs with other federal agencies. In particular,\nwe have no assurance that the FBI has identified all external systems\nwith which Sentinel must connect. While the Sentinel PMO told us that\nall external interfaces have been identified, we found that the external\ninformation sharing requirements for Sentinel have not yet been fully\nestablished but are scheduled to be completed by April 2006. Because\nthese requirements have yet to be established, we anticipate a\nmodification to the contract. In our opinion, such modifications\nrepresent a potential risk of requirements creep.\n\n       The FBI is developing Sentinel using architectural models not\nwidely used in the Department of Justice, which may require\nretrofitting or modifying other Department information systems as well\nas those of other agencies to effectively share information with\nSentinel. The cost, extent, and timing of those modifications are not\nknown. In our judgment, the FBI needs to focus more attention on\nthe sharing of information between Sentinel and other agencies\xe2\x80\x99 data\nsystems in these early stages of Sentinel\xe2\x80\x99s development. As discussed\nbelow, if Sentinel is developed without defining adequate external\ninformation sharing requirements, the system may not meet the\ninformation sharing mandate of Executive Order 13356, and costs may\nescalate due to the addition of these requirements later.\n\nInformation Sharing Requirements\n\n\n\n                                   33\n\x0c       During our audit, we interviewed several FBI and Department\nofficials to better understand the process used to identify Sentinel\xe2\x80\x99s\ninformation sharing requirements. We found that the process the FBI\nused to identify the internal information sharing requirements was\nextensive, while the process to identify external information sharing\nrequirements and compatibility appeared non-existent.\n\n       According to the FBI, during the development of Sentinel\xe2\x80\x99s\nrequirements system engineers held working sessions with future\nSentinel users in the FBI to gain an understanding of what the system\nneeded to do. The results of these sessions were compiled into a\nworking draft of the Sentinel system requirements, which was then\ncirculated to internal users for comment. According to FBI officials,\napproximately 1,200 comments were received, and many were\nintegrated into the final systems requirements document. As a result\nof this interaction with internal users, the Sentinel requirements\ndetailed how the system should interact with internal systems. For\nexample, the system requirements show how data would be entered\ninto and extracted from Sentinel as well as how Sentinel will generate\nreports currently produced by other FBI systems.\n\n      In response to our concerns about information sharing, the FBI\nCIO stated that the FBI is working with the OMB, DHS, and the\nDirectorate of National Intelligence (DNI) to ensure external interface\nrequirements are adequately considered. However, the FBI CIO noted\nthat while the OMB is taking steps to encourage external agencies\xe2\x80\x99\ninvolvement, the level of involvement of these agencies cannot be\ncontrolled by the FBI. With respect to external IT system connections\nwith Sentinel, the FBI said that in July 2005 it invited the Department\nof Homeland Security (DHS), the Drug Enforcement Administration\n(DEA), and the Bureau of Alcohol, Tobacco, Firearms and Explosives\n(ATF) to participate in its development of Sentinel\xe2\x80\x99s requirements and\nhas since begun discussions with the OMB and DNI on the need for\nsystem connections.\n\n       We interviewed representatives from the DHS, DEA, and ATF to\ndetermine the extent of each agency\xe2\x80\x99s involvement in the development\nof Sentinel\xe2\x80\x99s requirements. The DHS representative stated that the\nDHS was given the opportunity to review the requirements document\nafter the document was finalized by the FBI. The DHS has committed\nto providing the FBI with subject matter experts for 3 years in the\nareas of Enterprise Architecture, system engineering, security, privacy,\nand data to the project. At the time of our audit, the DHS was in the\nprocess of identifying the personnel to detail to the FBI.\n\n\n                                  34\n\x0c       A DEA official stated that the FBI initially wanted the DEA to\nparticipate in an advisory capacity on the Sentinel steering committee\nand to have someone assigned full-time to Sentinel. While the DEA\nwas not able to provide a full-time staff member, two officials\nparticipated on the steering committee. In addition, a DEA official\nreviewed the requirements for Sentinel to ensure that Sentinel\naddressed DEA information sharing needs. Although the DEA plans to\ndeploy its own new case management system to its field offices in\nearly 2006, the DEA said it intends to stay abreast of any\ndevelopments with Sentinel. The DEA anticipates that staying\ninformed about Sentinel will enable it to make changes to its case\nmanagement system as the Sentinel project develops, thereby\nreducing the need of major retrofitting after Sentinel is completed.\nHowever, before Sentinel can connect with the DEA\xe2\x80\x99s case\nmanagement system, a gateway from the classified operating\nenvironment of Sentinel to the sensitive but unclassified environment\nof the DEA\xe2\x80\x99s case management system must be established. Overall,\nDEA managers said they believe that Sentinel will meet the agency\xe2\x80\x99s\ninformation sharing needs as long as the FBI executes the project as\nplanned.\n\n       ATF officials told us that in late September 2005, an ATF official\nmet with the Sentinel program manager to introduce himself as a point\nof contact for the ATF and provide information about the ATF\xe2\x80\x99s\nresearch into off-the-shelf products to enhance case management\ninquiry capability and facilitate information sharing. ATF officials said\nthat they had not reviewed any of the requirements for Sentinel, and\nhave had no other involvement with Sentinel. According to the ATF, it\nis too early in the Sentinel project for it to determine whether any\nretrofitting of ATF programs will be required once Sentinel is\ncompleted to enable information sharing to occur between the two\nagencies.\n\n       During our audit work, we reviewed briefing documents,\nprepared by the FBI Office of IT Program Management for the FBI\nDeputy Director, in which the FBI indicated that the external interfaces\nfor information sharing with the intelligence and law enforcement\ncommunities were not well-defined. When questioned about its\nuncertainty regarding Sentinel\xe2\x80\x99s compatibility with other agencies\xe2\x80\x99\nsystems, the FBI said that it has identified all known external\ninterfaces that would fall under the FBI\xe2\x80\x99s information-sharing\nrequirements. In addition, the FBI said that previously agreed-upon\nstandards for information sharing across the law enforcement,\n\n\n                                   35\n\x0cintelligence, and defense communities will be followed in the\ndevelopment of Sentinel. However, we have not seen evidence of a\ncomprehensive list of these information-sharing requirements. In fact,\nan FBI division head told us that the FBI\xe2\x80\x99s list of external information-\nsharing requirements should be completed by April 2006. As noted\npreviously, if Sentinel is developed without adequately defining such\nexternal information sharing requirements, the system may not meet\nthe information sharing mandate of Executive Order 13356 and the\ncost of the project may escalate because of the inclusion of these\nrequirements at a later date.\n\nTarget Architecture\n\n       Sentinel will be developed using the Global Justice Extensible\nMarkup Language (XML) Data Reference Model (GJXDM) and its\nextension, the National Information Exchange Model (NIEM). (See\nAppendix 9 for a discussion of these models.) The GJXDM and NIEM\ncan make information exchange substantially more efficient by\ndefining how information should be documented. In addition, the\nintelligence agencies connected to Sentinel will use the Terrorist\nWatchlist Person Data Exchange Standard. 20 The FBI expects its new\ninvestigative case management architecture to capture and define\nprocesses for performing investigations and for collecting, controlling,\nanalyzing, and sharing law enforcement data. Consequently, the\ntarget architecture for Sentinel that is expected to enable greater\ninformation sharing and improved management reporting is a key\ndeliverable of the Sentinel case management system.\n\n        According to a Department of Justice system architect, the\nGJXDM is not yet in use in most of the systems in the Department.\nHowever, he said the Department is moving forward on a number of\ninitiatives to ensure its broader implementation. We believe the FBI\nand the Department need to focus more attention on this connectivity\nissue, because external entities\xe2\x80\x99 systems have not been developed\nwith the same architectural model. Therefore, retrofitting or modifying\nthe external agencies\xe2\x80\x99 systems may be necessary, and the cost,\nextent, and timing of such retrofitting is unknown at this time.\n\n      According to FBI officials, external collaboration, including\ninformation sharing with the intelligence community and law\n\n       20\n          The Terrorist Watchlist Person Data Exchange Standard is a data exchange\nformat for terrorist watchlist data that supports the Departments of State, Justice,\nHomeland Security, and the intelligence community.\n\n\n\n                                        36\n\x0c      enforcement partners, is envisioned with secure connections to a data\n      mart. 21 The following figure depicts the FBI\xe2\x80\x99s target architecture for\n      such external information sharing.\n\n                     VISION of FBI TARGET ARCHITECTURE\n\n\n\n\nSource: Department of Justice Office of the CIO\n\n            The terrorist attacks of September 11, 2001, underscore the\n      need for agencies involved in combating terrorism to be able to\n      communicate with one another effectively. An intelligence agency may\n      have only partial information on a suspected terrorist, but when\n      coupled with information that other agencies possess, a threat may\n      become more clear. In our judgment, there is no assurance that the\n      requirements for Sentinel have been sufficiently defined to allow such\n      interagency information sharing without potentially costly and time-\n      consuming modification of agencies\xe2\x80\x99 existing systems to achieve\n\n             21\n               A data mart is a specialized version of a data warehouse. Like data\n      warehouses, data marts contain a snapshot of operational data that aids strategizing\n      based on analyses of past trends and experiences.\n\n\n                                              37\n\x0ccompatibility with Sentinel. While Sentinel is first and foremost a\nsystem that must address the FBI\xe2\x80\x99s needs, in our judgment it may not\nserve the FBI\xe2\x80\x99s goal to prevent future terrorist attacks if this new\nsystem is isolated from information that exists within other agencies\xe2\x80\x99\ninformation systems.\n\nFederal Investigative Case Management System\n\n      In addition to developing its own case management system, the\nFBI is also the lead agency for the interagency Federal Investigative\nCase Management System (FICMS) initiative, as stated in a\nmemorandum of understanding (MOU) signed by the FBI, DOJ, and\nDHS CIOs in June 2005. As lead agency, the FBI is expected to\ndevelop an architectural framework that will establish case\nmanagement data and technology standards that enable electronic\ninformation sharing among government agencies. In April 2005, the\nFBI developed a draft FICMS framework which, according to the FBI\nCIO, was submitted to the Department for consideration. He added\nthat the Department is refining the draft framework into a more\nmature framework. The June 2005 MOU also states that Sentinel will\nbe the first implementation of the FICMS framework. The FBI CIO\nstated that the FBI is using the draft framework to drive the\ndevelopment of Sentinel, and when Sentinel is completed it will\nprovide the FICMS framework with various case management services\nthat can be adopted by other agencies.\n\n      According to the 2005 MOU, two mission needs drive the\ndevelopment of the Sentinel project as the initial implementation of\nthe FICMS:\n\n      \xe2\x80\xa2   bring all federal law enforcement and investigative resources\n          into a common electronic environment that promotes\n          collaboration and optimum deployment of federal resources,\n          and\n\n      \xe2\x80\xa2   create investigative case management solutions that provide\n          state-of-the-art capabilities to collect, share, and analyze\n          information from internal and external sources, and initiate\n          appropriate enforcement responses.\n\n       The DHS said it provided $500,000 in FY 2005 to the\nDepartment of Justice for FICMS and will contribute up to that amount\nin FY 2006. A DHS official said that the DHS would have to wait and\nsee if the FBI establishes its business processes within Sentinel in such\n\n\n                                   38\n\x0ca way that allows the processes to be modified to meet the needs of\nother agencies or not. However, if the FBI develops Sentinel as\nintended \xe2\x80\x94 using a service-oriented architecture \xe2\x80\x94 the DHS\nanticipates using approximately 40 to 60 percent of the system.\nOther potential users of the FICMS framework outside the Department\nof Justice include the Departments of Energy and Treasury, and the\nDNI. Therefore, the FBI should more closely consult with other\nintelligence and law enforcement agencies as the FBI moves forward in\ndeveloping Sentinel.\n\nConclusion\n\n      In our judgment, the FBI has taken a variety of positive steps to\naddress its past IT development mistakes and to plan for the\ndevelopment of Sentinel. Specifically, the FBI has made significant\nprogress by developing ITIM processes, a more mature Enterprise\nArchitecture, and other management improvements since the Trilogy\nproject, including establishing a Sentinel Program Management Office.\n\n      However, we have several concerns about the project that\nrequire action and continued monitoring by the FBI, the OIG, and\nother interested parties: (1) the incomplete staffing of the PMO,\n(2) the FBI\xe2\x80\x99s ability to reprogram funds to complete the second phase\nof the project without jeopardizing its mission-critical operations,\n(3) Sentinel\xe2\x80\x99s ability to share information with external intelligence and\nlaw enforcement agencies and provide a common framework for other\nagencies\xe2\x80\x99 case management systems, (4) the lack of an established\nEVM process, (5) the FBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs,\nand (6) the lack of complete documentation required by the FBI\xe2\x80\x99s ITIM\nprocesses.\n\n       Unlike during its failed VCF effort, the FBI now has a maturing\nEnterprise Architecture and a sound ITIM process in its LCMD. We\nfound that the FBI generally is managing the Sentinel project in\naccordance with the LCMD. By following the LCMD, the FBI appears to\nhave implemented adequate management controls through a variety\nof review boards and other oversight structures. This includes the\nidentification of project risks and the development of mitigation\nstrategies for those risks. The addition of an effective EVM process will\nalso enhance the FBI\xe2\x80\x99s control over the project cost and schedule.\nAccording to the FBI, full implementation of an EVM process for the\nSentinel project is scheduled to occur approximately 2 months after\nthe Sentinel contract is awarded. Based on our initial review, the FBI\xe2\x80\x99s\n\n\n\n\n                                   39\n\x0cEVM strategy appears adequate. We will monitor the FBI\xe2\x80\x99s\nimplementation of EVM in future audits.\n\n       The FBI continues to build a PMO specific to the Sentinel project,\nan entity critical to the project\xe2\x80\x99s successful management continuity\nand oversight. However, as of January 30, 2006, the Sentinel PMO\nwas staffed with 51 of the 76 staff the FBI determined are needed to\nsuccessfully manage Sentinel. Unless the FBI fully staffs the PMO\nduring the first phase of the project, the FBI runs the risk of not being\nable to oversee adequately Sentinel\xe2\x80\x99s aggressive delivery schedule.\nWe believe that it is imperative for the FBI to fully staff the PMO with\nqualified personnel as quickly as possible and to continue to follow the\nguidelines, requirements, and controls established in the LCMD.\n\n       While we support in principle the FBI\xe2\x80\x99s initial $97 million\nreprogramming request for the Sentinel program, we have concerns\nabout the effect of a second large reprogramming request on the FBI\xe2\x80\x99s\nmission-essential operations. It is not clear to us how the FBI can\neffectively carry out its wide-ranging and complex mission if funds of\nthis magnitude need to be diverted from other FBI programs in a\nsecond reprogramming. Additionally, the FBI\xe2\x80\x99s ability to track\nSentinel\xe2\x80\x99s costs needs to be firmly established by the time the contract\nis signed to ensure that all of the funding for the project is adequately\naccounted for.\n\n      Although the FBI has tried to use its past work on VCF in the\nSentinel effort, neither the FBI nor we could quantify how much\nhardware and development work from the VCF had been transferred to\nthe Sentinel project.\n\n       With regard to information sharing, we found that the\ndevelopment of Sentinel and the architecture for the interagency\nFICMS are being performed largely in parallel. Sentinel is being\ndeveloped to be compliant with the GJXDM language and data\nreference and the Terrorist Watchlist Person Data Exchange Standard.\nThere are risks associated with this tandem development approach,\nbecause Sentinel is essentially defining the standards for FICMS.\nFurthermore, the ultimate connectivity between Sentinel and external\nsystems remains unclear, as most Department of Justice systems are\nnot using the GJXDM model and may require significant modifications\nto facilitate information exchange. The cost and extent of those\nmodifications are unknown at this time.\n\n      In our judgment, Sentinel\xe2\x80\x99s requirements, including those for\ninformation sharing, must be firm before work begins on the project in\n\n\n                                   40\n\x0corder to avoid delays and cost increases and if Sentinel is to serve one\nof its intended purposes \xe2\x80\x94 to provide an investigative case\nmanagement system that other federal law enforcement agencies can\nadapt for their own use and that will allow for information sharing\namong federal law enforcement and intelligence community agencies.\nAlthough the FBI appears to have thoroughly examined internal FBI\ninformation sharing requirements in developing Sentinel, it has not\nensured compatibility with other agencies\xe2\x80\x99 systems.\n\n      We have found that in addition to continuing to develop an EVM\nprocess and the capability to track costs, the FBI has yet to complete\nsystem security and verification and validation plans as established in\nthe FBI\xe2\x80\x99s ITIM. These plans, which the FBI intends to complete after\nthe Sentinel contract is awarded, are required to ensure that the\nsystem meets the FBI\xe2\x80\x99s security requirements and is implemented\naccording to established control mechanisms.\n\n      The OIG will continue to monitor and periodically issue audit\nreports throughout the Sentinel project in an effort to track the FBI\xe2\x80\x99s\nprogress and identify any emerging concerns over the cost, schedule,\ntechnical, and performance aspects of the project. As a result of our\nreview of the pre-acquisition phase of the Sentinel project, we make\nthe following recommendations.\n\nRecommendations\n\n      We recommend that the FBI:\n\n      1. Ensure that the system security and Independent Verification\n         and Validation plans are completed as soon as possible after\n         the contract is signed.\n\n      2. Ensure that the Sentinel Program Management Office is\n         staffed to a level that will support Sentinel\xe2\x80\x99s aggressive\n         delivery schedule.\n\n      3. Obtain a tool that will allow for the effective implementation\n         of an Earned Value Management process and fully implement\n         this process.\n\n      4. Discuss with other intelligence community and law\n         enforcement agencies their information sharing requirements\n         to ensure compatibility with those systems in the\n         requirements and design of Sentinel.\n\n\n\n                                   41\n\x0c5. Ensure that an effective system is in place to accurately track\n   and control Sentinel\xe2\x80\x99s development costs.\n\n6. Complete a comprehensive Sentinel training plan with realistic\n   schedule and cost estimates and include these training cost\n   estimates in the estimates of overall project costs.\n\n7. Establish a method to monitor the operational impact of a\n   potential second reprogramming and identify for resolution\n   any degrading of the FBI\xe2\x80\x99s mission-critical functions due to\n   the diversion of funds to the Sentinel project.\n\n\n\n\n                             42\n\x0c            STATEMENT ON COMPLIANCE WITH\n                LAWS AND REGULATIONS\n\n      This audit assessed the FBI\xe2\x80\x99s planning for its Sentinel case\nmanagement project. In connection with the audit, as required by the\nGovernment Auditing Standards, we reviewed management processes\nand records to obtain reasonable assurance that the FBI\xe2\x80\x99s compliance\nwith laws and regulations that, if not complied with, in our judgment,\ncould have a material effect on FBI operations. Compliance with laws\nand regulations applicable to the FBI\xe2\x80\x99s management of the Sentinel\nproject is the responsibility of the FBI\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of:\n\n     \xe2\x80\xa2   President\xe2\x80\x99s Management Agenda,\n\n     \xe2\x80\xa2   OMB Circulars A-11 and A-130,\n\n     \xe2\x80\xa2   Executive Order 13356 (superseded by "Executive Order:\n         Further Strengthening the Sharing of Terrorism Information\n         to Protect Americans," dated October 25, 2005),\n\n     \xe2\x80\xa2   Federal Acquisition Regulations,\n\n     \xe2\x80\xa2   E-Government Act,\n\n     \xe2\x80\xa2   Clinger-Cohen Act,\n\n     \xe2\x80\xa2   Paperwork Reduction Act,\n\n     \xe2\x80\xa2   DOJ IT Strategic Plan,\n\n     \xe2\x80\xa2   Federal Investigative Case Management System Framework,\n\n     \xe2\x80\xa2   FBI IT Strategic Plan, and\n\n     \xe2\x80\xa2   FBI Life Cycle Management Directive.\n\n     Our audit identified no areas where the FBI was not in\ncompliance with the laws and regulations referred to above. With\nrespect to transactions that were not tested, nothing came to our\n\n\n                                  43\n\x0cattention that caused us to believe that FBI management was not in\ncompliance with the laws and regulations cited above.\n\n\n\n\n                                 44\n\x0c               STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the FBI\xe2\x80\x99s pre-acquisition\nplanning for its Sentinel project, we considered the FBI\xe2\x80\x99s internal\ncontrols for the purpose of determining our audit procedures. This\nevaluation was not made for the purpose of providing assurance on\nthe internal control structure as a whole. However, we noted certain\nmatters that we consider to be reportable conditions under the\nGovernment Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\ninternal control structure that, in our judgment, could adversely affect\nthe FBI\xe2\x80\x99s ability to manage its Sentinel project. During our audit, we\nfound the following internal control deficiencies.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s Program Management Office for Sentinel is not yet\n          fully staffed to effectively manage the Sentinel project.\n\n      \xe2\x80\xa2   Sentinel\xe2\x80\x99s information sharing requirements are not yet\n          clearly defined to meet the federal intelligence sharing\n          mandate.\n\n      Because we are not expressing an opinion on the FBI\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the FBI in planning for the Sentinel project.\nThis restriction is not intended to limit the distribution of this report,\nwhich is a matter of public record.\n\n\n\n\n                                    45\n\x0c                                                          APPENDIX 1\n\n            OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjective\n\n      The objective of the audit was to evaluate the FBI\xe2\x80\x99s planning for\nSentinel, including the approach, design, cost and funding sources,\ntimeframe, contracting vehicle, and oversight structure.\n\nScope and Methodology\n\n      The audit was performed in accordance with the Government\nAuditing Standards, and included tests and procedures necessary to\naccomplish the audit objective. We conducted work at the FBI\nHeadquarters in Washington, D.C.\n\n      To perform our audit, we interviewed officials from the FBI, DEA,\nATF, DHS, and the Department of Justice. We also reviewed\ndocuments related to the planning for the Sentinel project, budget\ndocumentation, organizational structures, congressional testimony,\nand prior GAO and OIG reports.\n\n       To evaluate the FBI\xe2\x80\x99s planning for Sentinel including the\napproach, design, cost and funding sources, timeframe, contracting\nvehicle, and oversight structure, we examined the FBI\xe2\x80\x99s compliance\nwith its Life Cycle Management Directive. We did this by reviewing the\nFBI\xe2\x80\x99s plans for each completed phase of the directive. We also\ninterviewed FBI division heads to determine if, in their opinion, the\nsystem requirements are comprehensive enough to meet user\nexpectations. In addition, we reviewed the FBI\xe2\x80\x99s methodology for\nselecting the contracting vehicle and developing the system\nrequirements. We examined the FBI\xe2\x80\x99s proposed funding for the\nproject including the reprogramming request for the first phase. We\nalso discussed with FBI officials the potential risk to the FBI\xe2\x80\x99s\noperations if a second reprogramming is necessary. We analyzed the\nFBI\xe2\x80\x99s staffing procedures for the management and oversight for\nSentinel.\n\n      To examine the issue of information sharing, we reviewed the\nSentinel statement of work and the system requirements. We also\ndiscussed this issue with representatives from the CIO offices of the\nFBI, DEA, ATF, and the Departments of Justice and Homeland\nSecurity.\n\n\n                                  46\n\x0c                                                    APPENDIX 2\n\n                        ACRONYMS\n\nACS     Automated Case Support\nATF     Bureau of Alcohol, Tobacco, Firearms and Explosives\nCIO     Chief Information Office\nCMMI    Capability Maturity Model Integration\nCOTS    Commercial Off-the-Shelf\nDEA     Drug Enforcement Administration\nDHS     Department of Homeland Security\nEVM     Earned Value Management\nFAR     Federal Acquisition Regulations\nFBI     Federal Bureau of Investigation\nFICMS   Federal Investigative Case Management System\nFY      Fiscal Year\nGAO     Government Accountability Office\nGJXDM   Global Justice XML Data Reference Model\nGOTS    Government Off-the-Shelf\nGWAC    Government-wide Acquisition Contract\nIOC     Initial Operational Capability\nIMPRB   Investment Management Project Review Board\nIT      Information Technology\nITIM    Information Technology Investment Management\nIV&V    Independent Verification & Validation\nLCMD    Life Cycle Management Directive\nMOU     Memorandum of Understanding\nNIEM    National Information Exchange Model\nNIH     National Institutes of Health\nOCM     Organization Change Management\nOIG     Office of the Inspector General\nOMB     Office of Management and Budget\nPMO     Program Management Office\nRFP     Request for Proposal\nUNI     Universal Index\nVCF     Virtual Case File\nXML     Extensible Markup Language\n\n\n\n\n                             47\n\x0c                                                          APPENDIX 3\n\n               PRIOR REPORTS ON THE FBI\xe2\x80\x99S\n                INFORMATION TECHNOLOGY\n\n      Below is a listing of relevant reports discussing the FBI\xe2\x80\x99s\ninformation technology systems. These include reports issued by the\nDepartment of Justice, Office of the Inspector General (OIG), the\nGovernment Accountability Office (GAO), and by other external entities\nas well as FBI internal reports.\n\nExternal Reports on FBI Case Management Efforts\n\n      In February 2005, the OIG issued a report entitled, The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information\nTechnology Management Project, which encompassed Sentinel\xe2\x80\x99s\npredecessor, the Virtual Case File (VCF). The OIG recommended the\nFBI take the following steps:\n\n     \xe2\x80\xa2   Replace the obsolete ACS system as quickly and as cost\n         effectively as feasible.\n\n     \xe2\x80\xa2   Reprogram FBI resources to meet the critical need for a\n         functional case management system.\n\n     \xe2\x80\xa2   Freeze the critical design requirements for the case\n         management system before initiating a new contract and\n         ensure that the contractor fully understands the requirements\n         and has the capability to meet them.\n\n     \xe2\x80\xa2   Incorporate development efforts for the VCF into the\n         development of the requirements for any successor case\n         management system.\n\n     \xe2\x80\xa2   Validate and improve as necessary financial systems for\n         tracking project costs to ensure complete and accurate data.\n\n     \xe2\x80\xa2   Develop policies and procedures to ensure that future\n         contracts for IT-related projects include defined requirements,\n         progress milestones, and penalties for deviations from the\n         baselines.\n\n\n\n\n                                  48\n\x0c     \xe2\x80\xa2   Establish management controls and accountability to ensure\n         that baselines for the remainder of the current user\n         applications contract and any successor Trilogy-related\n         contracts are met.\n\n     \xe2\x80\xa2   Apply ITIM processes to all Trilogy-related and any successor\n         projects.\n\n     \xe2\x80\xa2   Monitor the Enterprise Architecture being developed to ensure\n         timely completion as scheduled.\n\n      The report concluded that the difficulties experienced in\ncompleting the Trilogy project were partially attributable to:\n(1) design modifications the FBI made as a result of refocusing its\nmission from traditional criminal investigations to preventing\nterrorism, (2) poor management decisions early in the project,\n(3) inadequate project oversight, (4) a lack of sound IT investment\npractices, and (5) not applying lessons learned over the course of the\nproject.\n\n       The National Research Council issued a report in May 2004\nentitled A Review of the FBI\xe2\x80\x99s Trilogy Information Technology\nModernization Program. The report found that the program was not\non a path to success, and identified the following needs:\n\n     \xe2\x80\xa2   valid contingency plan for transitioning from the old case\n         management system to the new one,\n\n     \xe2\x80\xa2   completed Enterprise Architecture,\n\n     \xe2\x80\xa2   adequate time for testing the new system prior to\n         deployment,\n\n     \xe2\x80\xa2   improved contract management processes, and\n\n     \xe2\x80\xa2   expanded IT human resources base.\n\n      The report concluded that the FBI had made significant progress\nin some areas of its IT modernization efforts, such as the\nmodernization of the computing hardware and baseline software and\nthe deployment of its networking infrastructure. However, because\nthe FBI\xe2\x80\x99s IT infrastructure was inadequate in the past, there was still\nan enormous gap between the FBI\xe2\x80\x99s IT capabilities and the capabilities\nthat were urgently needed.\n\n\n                                  49\n\x0c      The report was updated in June 2004 as a result of what the\nCouncil deemed clear evidence of progress being made by the FBI to\nmove ahead in its IT modernization program. This included the\nappointment of a permanent CIO and the formation of a staffed\nprogram office for improved IT contract management. The progress\nbeing made by the FBI appeared to the Council to have been more\nrapid than expected, although many challenges remained. The Council\nalso emphasized that the FBI\xe2\x80\x99s missions constitute increasingly\ninformation-intensive challenges, and the ability to integrate and\nexploit rapid advances in IT capabilities will only become more critical\nwith time. The update concluded that even with perfect program\nmanagement and execution, substantial IT expenses on an ongoing\nbasis are inevitable and must be anticipated in the budget process if\nthe FBI is to maximize the operational leverage that IT offers.\n\n       In September 2004, the GAO issued a report entitled,\nInformation Technology: Foundational Steps Being Taken to Make\nNeeded FBI Systems Modernization Management Improvements. This\nreport stated that although improvements were under way and more\nwere planned, the FBI did not have an integrated plan for modernizing\nits IT systems. Each of the FBI\xe2\x80\x99s divisions and other organizational\nunits that manage IT projects performs integrated planning for its\nrespective IT projects. However, the plans did not provide a common,\nauthoritative, and integrated view of how IT investments will help\noptimize mission performance, and they did not consistently contain\nthe elements expected to be found in effective systems modernization\nplans. The GAO recommended that the FBI limit its near-term\ninvestments in IT systems until the FBI developed an integrated\nsystems and modernization plan and effective policies and procedures\nfor systems acquisition and investment management. Additionally, the\nGAO recommended that the FBI\xe2\x80\x99s CIO be provided with the\nresponsibility and authority to effectively manage IT FBI-wide.\n\n     In April 2005, the House Surveys and Investigations staff issued\nA Report to the Committee on Appropriations, U.S. House of\nRepresentatives, which concluded the following.\n\n      \xe2\x80\xa2   VCF development suffered from a lack of program\n          management expertise, disciplined systems engineering\n          practices, and contract management. The project also was\n          affected by a high turnover of Chief Information Officers and\n          program managers.\n\n\n\n                                   50\n\x0c      \xe2\x80\xa2   VCF development was negatively impacted by the FBI\xe2\x80\x99s lack\n          of an empowered and centralized Office of Chief Information\n          Officer and sound business processes by which IT projects are\n          managed.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s decision to terminate VCF was related to\n          deficiencies in the VCF product delivered, failure of a pilot\n          project to meet user needs, and the new direction the FBI\n          planned to take for its case management system.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s IT program management business structure and\n          processes were, for the most part, in place, although some of\n          these processes needed to mature.\n\nFBI Internal Reports on Case Management\n\n      The FBI hired the Aerospace Corporation to perform an\nassessment of Commercial Off-the-Shelf (COTS) and Government Off-\nthe-Shelf (GOTS) systems that could be used in developing a case\nmanagement system and also an Independent Verification and\nValidation of Trilogy\xe2\x80\x99s Virtual Case File. In December 2004, the\ncontractor issued the COTS/GOTS Trade Study, which recommended\nthat the FBI look to systems that have an emphasis on data sharing.\nThe contractor further recommended that an acquisition strategy be\ndeveloped that includes an incremental deployment of core capabilities\nand the incremental addition of such components as intelligent search\nand reporting and specific analytic capabilities.\n\n       The contractor released the Independent Verification and\nValidation of the Trilogy Virtual Case File, Delivery 1: Final Report in\nJanuary 2005. The report recommended discarding the VCF and\nstarting over with a COTS-based solution. The contractor concluded\nthat a lack of effective engineering discipline had led to inadequate\nspecification, design, and development of VCF. Further, the contractor\ncould find no assurance that the architecture, concept of operations\nand requirements were correct or complete, and no assurance that\nthey could be made so without substantial rework. In sum, the\ncontractor reported that VCF was a system whose true capability was\nunknown, and whose capability may remain unknown without\nsubstantial time and resources applied to remediation.\n\n\n\n\n                                    51\n\x0cOther OIG Reports on the FBI\xe2\x80\x99s IT\n\n      OIG reports issued over the past 15 years have highlighted\nissues concerning the FBI\xe2\x80\x99s utilization of IT, including its investigative\nsystems. In 1990, the OIG issued a report entitled The FBI\xe2\x80\x99s Automatic\nData Processing General Controls. This report described 11 internal\ncontrol weaknesses and found that:\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s phased implementation of its 10-year Long\n            Range Automation Strategy, scheduled for completion in\n            1990, was severely behind schedule and may not be\n            accomplished;\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s Information Resources Management program\n            was fragmented and ineffective, and the FBI\xe2\x80\x99s Information\n            Resources Management official did not have effective\n            organization-wide authority;\n\n      \xe2\x80\xa2     The FBI had not developed and implemented a data\n            architecture; and\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s major mainframe investigative systems were\n            labor intensive, complex, untimely, and non-user friendly\n            and few agents used these systems.\n\n       The OIG\xe2\x80\x99s July 1999 special report, The Handling of FBI\nIntelligence Information Related to the Justice Department\xe2\x80\x99s Campaign\nFinance Investigation, stated that FBI personnel were not well-versed\nin the ACS system and other databases. Additionally, a November\n1999 OIG report entitled A Review of the Justice Department\xe2\x80\x99s\nHandling of the Death of Kenneth Michael Trentadue at the Bureau of\nPrison\xe2\x80\x99s Federal Transfer Center in Oklahoma City, noted deficiencies\nin uploading key evidence into the ACS.\n\n       A March 2002 OIG report entitled, An Investigation of the\nBelated Production of Documents in the Oklahoma City Bombing Case,\nanalyzed the causes for the FBI\xe2\x80\x99s belated delivery of many documents\nin the Oklahoma City bombing case. This report concluded that the\nACS system was extraordinarily difficult to use, had significant\ndeficiencies, and was not the vehicle for moving the FBI into the 21\ncentury. The report noted that inefficiencies and complexities in the\nACS, combined with the lack of a true information management\nsystem, were contributing factors in the FBI\xe2\x80\x99s failure to provide\n\n\n\n                                   52\n\x0chundreds of investigative documents to the defendants in the\nOklahoma City bombing case.\n\n       In May 2002, the OIG issued a report on the FBI\xe2\x80\x99s administrative\nand investigative mainframe systems entitled the Independent\nEvaluation Pursuant to the Government Information Security Reform\nAct, Fiscal Year 2002. The report identified continued vulnerabilities\nwith management, operational, and technical controls within the FBI.\nThe report stated that these vulnerabilities occurred because the\nDepartment and FBI security management had not enforced\ncompliance with existing security policies, developed a complete set of\npolicies to effectively secure the administrative and investigative\nmainframes, or held FBI personnel responsible for timely correction of\nrecurring findings. Further, the report stated that FBI management\nhad been slow to correct identified weaknesses and implement\ncorrective action and, as a result, many of these deficiencies repeated\nyear after year in subsequent audits.\n\n       In December 2002, the OIG issued a report on The FBI\xe2\x80\x99s\nManagement of Information Technology Investments, which included a\ncase study of the Trilogy project. The report made 30\nrecommendations, 8 of which addressed the Trilogy project. The\nreport\xe2\x80\x99s focus was on the need to adopt sound investment\nmanagement practices as recommended by the GAO. The report also\nstated that the FBI did not fully implement the management processes\nassociated with successful IT investments. Specifically, the FBI had\nfailed to implement the following critical processes:\n\n     \xe2\x80\xa2     defining and developing IT investment boards,\n\n     \xe2\x80\xa2     following a disciplined process of tracking and overseeing\n           each project\xe2\x80\x99s cost and schedule milestones over time,\n\n     \xe2\x80\xa2     identifying existing IT systems and projects,\n\n     \xe2\x80\xa2     identifying the business needs for each IT project, and\n\n     \xe2\x80\xa2     using defined processes to select new IT project proposals.\n\nThe audit found that the lack of critical IT investment management\nprocesses for Trilogy contributed to missed milestones and led to\nuncertainties about cost, schedule, and technical goals.\n\n\n\n\n                                  53\n\x0c                                                                                                                      APPENDIX 4\n\n\n                                        FBI\xe2\x80\x99S LCMD IT SYSTEMS LIFE CYCLE\n\n                                                                                             CMB \xe2\x80\x93 Lead     CMB \xe2\x80\x93 Lead              CMB \xe2\x80\x93 Lead\n                          IMPRB \xe2\x80\x93 Lead                 IMPRB \xe2\x80\x93 Lead             TRB \xe2\x80\x93 Lead      TRB           IMPRB                 IMPRB/EAB\n  Control Gate\n\n\n\n\n                              EAB                          CRB                     EAB              CMB \xe2\x80\x93 Lead\n    Reviews\n\n\n\n\n                                    1                          2                        3        4      TRB     6                         7\n\n                                    SCR                       APR                        CDR   DRR             OAR                        DR     To\n                                                                                                         5\n                                                                                                                                               Archives\n                                                                                                               Sys TRR\n  Reviews\n\n\n\n\n                                                                   SSAR     RCR    PDR         PTRR         SAR               AOR                 TR\n  Project\n\n\n\n\n                           MNR                    SSR\n                            1                                       3 4 5 6 7                    8        9 10      11        12                  13\n                                                   2\n                                                                        CIR    DCR                       STRR      ORR\n  OCIO\n  Roles\n\n\n\n\n                            OIPP          OIPM                               ITSD/CTO\n                                                                                    O & M Organization (ITOD & CJIS)\nPhases\n Cycle\n\n\n\n\n                           Concept                                Source                     Develop\n  Life\n\n\n\n\n                                         Requirements Acquisition                                         Implementation   Operations &\n                                         Development Planning Selection\n                                                                               Design                                                      Disposal\n                          Exploration                                                         & Test       & Integration   Maintenance\n            Security\n\n\n\n\n                                 Security Requirements                Security Certification             Security      Security\n Milestones Roles\n\n\n\n\n                                                                                                         Accreditation Re-Accreditation and\n                                                                                                                       Re-Certification\n   Major\n\n\n\n\n                                                           Proposal   Contract                 ATT                  IATO\n                                                           Submission Award                                         ATO\nProcesses\n Support\n   Key\n\n\n\n\n                                                                      Key Supporting Tasks\n\n                                                                                         f           l\n                                                                         LEGEND\n\nAOR                    Annual Operational Review                                          MNR              Mission Needs Review\nAPR                    Acquisition Plan Review                                            OAR              Operational Acceptance Review\nATO                    Authority to Operate                                               ORR              Operational Readiness Review\nATT                    Authorization to Test                                              PDR              Preliminary Design Review\nCDR                    Critical Design Review                                             PTRR             Product Test Readiness Review\nCIR                    Contract Implementation Review                                     RCR              Requirements Clarification Review\nCMB                    Change Management Board                                            SAR              Site Acceptance Review\nCRB                    Contract Review Board                                              SCR              System Concept Review\nDCR                    Design Concept Review                                              SSAR             Source Selection Authorization Review\nDR                     Disposal Review                                                    SSR              System Specification Review\nDRR                    Deployment Readiness Review                                        STRR             Site Test Readiness Review\n                                                                                          Sys\nEAB                    Enterprise Architecture Board                                                       System Test Readiness Review\n                                                                                          TRR\nFDR                    Final Design Review Board                                          TR               Termination Review\nIATO                   Interim Authority to Operate                                       TRB              Technical Review Board\nIMPRB                  Investment Management Project Review Board\n\n\n\n\n                                                                       54\n\x0c                                                        APPENDIX 5\n\n              THE FBI LCMD KEY PROCESS AREAS\n\nKey Process Areas                        Purpose\n\n                      Establishes and maintains the integrity of\nConfiguration         work products using configuration\nManagement (CM)       identification, configuration control,\n                      configuration status accounting, and\n                      configuration audits.\nContinuity of\n                      Provides plans for continuity of operations in\nOperations Planning\n                      the event of major crises.\n(COOP)\nInformation Sharing  Maximizes information sharing across IT\n                     systems.\n                     Develops and maintains the FBI IT\nEnterprise           architecture including the \xe2\x80\x9cas-is\xe2\x80\x9d and \xe2\x80\x9cto-be\xe2\x80\x9d\nArchitecture (EA)    (target) architectures and the transition plan\n                     for moving to the target architecture.\n                     Establishes and applies safeguards within\n                     systems, processes, and organizations to\nInformation Security\n                     protect data, software, and hardware from\nManagement (ISM)\n                     accidental or malicious modification,\n                     destruction, or disclosure.\nInformation          Provides the process for planning, selecting\nTechnology           and controlling the IT resources required to\nInvestment           effectively support the performance of the FBI\nManagement (ITIM)    operational and administrative mission areas.\n                     Ensures that support considerations are an\n                     integral part of an IT system\'s requirements,\n                     design, implementation, and ongoing\nLogistics Management\n                     maintenance and that the infrastructure\n(LOG)\n                     necessary for deployment and continued\n                     operational support of the system is\n                     identified, developed, and acquired.\n                     Develops and sustains a measurement\nMeasurement and\n                     capability that is used to support\nAnalysis (MA)\n                     management information needs.\n\n\n\n\n                                55\n\x0cOrganizational\n                        Establishes and maintains a usable set of\nProcess Definition\n                        organizational process assets.\n(OPD)\n                        Plans and implements organizational process\n                        improvement based on a thorough\nOrganizational\n                        understanding of the current strengths and\nProcess Focus (OPF)\n                        weaknesses of the organization\xe2\x80\x99s processes\n                        and process assets.\n                        Develops the skills and knowledge of\nOrganizational\n                        individuals so they can perform their roles\nTraining (OT)\n                        effectively and efficiently.\nPortfolio Management\n                        Manages the legacy IT system portfolio.\n(PORT)\n                        Ensures the quality of the product or service\nProcess and Product     and the processes used to create or provide\nQuality Assurance       them, and provides staff and management\n(PPQA)                  with objective insight into processes and\n                        associated work products.\n                        Provides an understanding of the project\xe2\x80\x99s\n                        progress so that appropriate corrective\nProject Monitoring &\n                        actions can be taken when the project\xe2\x80\x99s\nControl (PMC)\n                        performance deviates significantly from the\n                        plan.\n                        Establishes and maintains plans that define\nProject Planning (PP)\n                        project activities.\n                        Establishes and maintains effective plans,\nRecords Management      guidelines, and procedures for the collection,\n(RM)                    dissemination, organization, and protection of\n                        government records.\nRequirements            Produces and analyzes customer, product,\nDevelopment (RD)        and product-component requirements.\n                        Manages the requirements of the project\xe2\x80\x99s\nRequirements            products and their components and identifies\nManagement (REQM)       inconsistencies between those requirements\n                        and the project\xe2\x80\x99s plans and work products.\n\n\n\n\n                                 56\n\x0c                     Identifies potential problems before they\n                     occur so that risk-handling activities may be\nRisk Management\n                     planned and invoked as needed during the life\n(RSKM)\n                     of the product or project, to mitigate adverse\n                     impacts on achieving objectives.\n                     Identifies FBI goals, objectives, and strategies\n                     to accomplish the FBI\xe2\x80\x99s mission and vision,\nStrategic Planning   guides annual budget and performance\n(SP)                 planning, and sets the framework for\n                     measuring progress and ensuring\n                     accountability.\n                     Manages the acquisition of products from\nSupplier Agreement\n                     suppliers for which there exists a formal\nManagement (SAM)\n                     agreement.\n                     Demonstrates that a product or its component\nValidation (VAL)     fulfills its intended use when placed in an\n                     intended environment.\n                     Ensures that selected work products meet\nVerification (VER)\n                     their specified requirements.\n\n\n\n\n                               57\n\x0c                                                           APPENDIX 6\n\n        PMO STAFF POSITIONS AND RESPONSIBILITIES\n\nProgram Leadership\n\n      The Sentinel program leadership consists of a program manager\nand a deputy program manager who are responsible for ensuring the\noverall success of the Sentinel project.\n\nDirect Reporting Staff\n\n      The direct reporting staff includes the following:\n\n         \xe2\x80\xa2   Contract Officer \xe2\x80\x94 oversees all Sentinel contract\n             executions, including contractor task-order compliance,\n             prepares change orders or other contract modifications as\n             required, and also monitors contractual performance.\n\n         \xe2\x80\xa2   Contract Officer Technical Representative \xe2\x80\x94 assists\n             Contracting Officer in technical oversight.\n\n         \xe2\x80\xa2   General Counsel \xe2\x80\x94 provides legal advice to the program\n             manager and deputy program manager.\n\n         \xe2\x80\xa2   Communications \xe2\x80\x94 assists the program manager in\n             relaying program information.\n\nOrganization Change Management (OCM)\n\n       OCM is responsible for preparing Sentinel users to accept and\nutilize Sentinel\xe2\x80\x99s capabilities. OCM provides a formal path for receiving\nnew user-originated requirements during the implementation of the\nsystem. The OCM team includes special agents, intelligence analysts,\nand professional staff who are on temporary duty assignments to the\nSentinel program.\n\nBusiness Management\n\n      The Business Management organizational unit develops and\nmaintains program investments, budget, and spending plans. The\nteam also monitors, analyzes, and reports on the program\xe2\x80\x99s Earned\nValue Management (EVM) status.\n\n\n\n                                   58\n\x0cAdministrative Support\n\n     The Administrative Support staff directs the administrative and\nsupport services required by the PMO.\n\nProgram Integration\n\n      The Program Integration staff is responsible for developing and\nmaintaining the Sentinel project baseline and then tracking progress\nand risks against that baseline. This team is also responsible for\ncoordinating external interfaces development plans and dependency\nschedules.\n\nSystem Development.\n\n      The System Development staff is responsible for the overall\nsystem design and its implementation increments. This team is also\nresponsible for the technical performance outcome of the Sentinel\nprogram and is accountable for the systems requirements and the\ndelivery of a system whose technical performance meets users\xe2\x80\x99\nexpectations.\n\nTransition\n\n       The Transition team is responsible for all activities associated\nwith the transition of Sentinel phase capability from its development to\neventual use by the FBI user community.\n\nOperations and Maintenance\n\n       The Operations and Maintenance staff is responsible for the\noperations and maintenance of the deployed Sentinel capabilities until\nit reaches full operation capability. At which time this responsibility\nwill be transferred to the FBI\xe2\x80\x99s Information Technology Operations\nDivision.\n\n\n\n\n                                  59\n\x0c                                                                               APPENDIX 7\n\n                       THE FBI\xe2\x80\x99S RISK MITIGATION STRATEGY\n\nRank      Risk Condition             Risk Consequence                       Mitigation Plan\n1    There are a number of         Parallel development       M1. Monitor parallel development efforts;\n     parallel initiatives          efforts may result in      develop MOUs for content, interfaces, and\n     within the FBI that can       changes to Sentinel        funding strategy; incorporate into Sentinel\n     impact the scope of           functional content or      plans as appropriate\n     Sentinel                      interface requirements\n2    The project award             The target award slip      M1. Develop the draft Request For Proposal\n     schedule is very              delays identification of   M2. Develop OMB 300\n     aggressive and the target     resources                  M3. Establish schedule baseline\n     award date may not be\n     attainable\n3    Sentinel increments           The coordination and       M1. Document external systems and\n     must interface with           information required to    interface requirements for inclusion in the\n     numerous legacy               develop the interfaces     solicitation\n     systems operated              may consume                M2. Establish a working partnership and\n     outside the OCIO              significant, unforeseen    collaborate with the legacy systems\xe2\x80\x9d owning\n                                   schedule and resources     organization\n4      FBI mission evolves or      Funding and schedule       M1. Place the System Requirements\n       user requirements           will not support project   Specifications (SRS) under configuration\n       change, resulting in        completion                 control prior to RFP release\n       scope creep prior to                                   M2. Maintain strict requirements and\n       system completion                                      configuration controls throughout the project\n                                                              M3. Ensure user advocacy group is the focal\n                                                              point for all user changes or needs\n                                                              M4. Ensure contractors are aware and adhere\n                                                              to change process, including communication\n                                                              with user community\n                                                              M5. Ensure FBI capabilities are addressed\n                                                              early in system development\n                                                              M6. Ensure continuous feedback with user\n                                                              community\n                                                              M7. Concurrence of SRS contents to be\n                                                              achieved by each division\n5      Initial project costs are   Budgeted costs are not     M1. Establish the SRS early enough to serve\n       underestimated              sufficient to complete     as a baseline for the initial cost estimate\n                                   project                    M2. Perform a market survey of COTS and\n                                                              GOTS products to support baseline\n                                                              development\n                                                              M3. Generate multiple, independent cost\n                                                              estimates\n6      Availability of staffing    Project plans,             M1. Identify the government and support\n       resources (prime and        schedules, and scope       contractor resources, (and associated\n\n\n                                                  60\n\x0c    subcontractors) that    will required             timeline, skills, et al.) in the Sentinel Project\n    meet FBI requirements   modification; Sentinel    Plan\n    may not be available    vision prolonged or not   M2. Assess the realism of contractor staffing\n    when needed             achieved                  during source selection\n                                                      M3. Define security clearance requirements\n                                                      consistent with the access required by\n                                                      development contractor personnel, likely\n                                                      reducing the number of Top Secret security\n                                                      clearances required\n                                                      M4. Require staffing plan submission, with\n                                                      clearance status, in project review reporting\n                                                      M5. Ensure active government involvement\n7   The development         Delivery schedule will    M1. Evaluate realism of proposed schedules\n    contractor may be       be delayed, having a      during source selection\n    unable to meet the      cascading effect on       M2. Perform Integrated Baseline Reviews, as\n    proposed notional       project                   needed, to ensure that the government and\n    schedule                                          contractor have a common understanding of\n                                                      the project baselines and risks\n                                                      M3. Use an integrated master schedule and\n                                                      regular status/remediation reporting to\n                                                      support schedule control\n                                                      M4. Implement Earned Value Management\n                                                      in accordance with ANSI/EIA Standard\n                                                      M7M4M8A\n                                                      M5. Hold weekly project status meetings and\n                                                      regular risk management meetings with the\n                                                      development contractor\n                                                      M6. Impose Resource Loaded Schedule\n                                                      (RLS) submission\n\n\n\n\n                                          61\n\x0c                                                           APPENDIX 8\n\n           QUESTIONNAIRE USED TO DETERMINE THE MOST\n                   VIABLE CONTRACT VEHICLE\n\nA. Contract Conditions\n\n1.    Are there specific limitations on the types of services or products\n      that may be acquired?\n\n2.    Are there limitations on the dollar amount/percentage of services\n      to computer hardware/software?\n\n3.    Are there specifics restrictions or terms/conditions on the\n      purchase of computer hardware/software?\n\n4.    Describe the interagency fee structure. Is this fee structure\n      flexible depending on the level of support required, or the\n      amount of funds obligated?\n\n5.    What type of operating agreement will be put in place between\n      the FBI and your agency?\n\n6.    Are there period of performance limitations that apply to this\n      GWAC?\n\n7.    Can the contract/task order cross fiscal years or exceed 12-\n      months?\n\n8.    Can the task order be incrementally funded?\n\n9.    How are interagency funds transfers handled?\n\n10.   What happens to funds that are not obligated?\n\n11.   Are there limitations/caps on the prime contractor rates charged\n      under this vehicle?\n\n12.   What escalations factors are built into the rate structures?\n\n13.   Can labor categories be added to the contract?\n\n14.   Does the GWAC contracting officer periodically audit the prime\n      contracts? If so, will the FBI receive a copy of the audit?\n\n\n                                   62\n\x0c15.   Are there any provisions in the GWAC contract that would\n      preclude the FBI from conducting their own audits (e.g.\n      timecards, invoices) at their discretion?\n\n16.   Are there maximum/minimum order limitations?\n\n17.   Are there any particular or unique terms and conditions of which\n      the FBI should be aware?\n\n18.   What is the process for handling modifications? Are there\n      limitations on the scope of changes?\n\nB. Government Roles and Responsibilities\n\n1.    What services are provided by your agency both pre and post\n      award?\n\n2.    Can we retain specific oversight of the contract post-award using\n      FBI Contracting Officers?\n\n3.    Will you provide dedicated personnel responsible for this\n      particular action?\n\nC. Source Selection\n\n1.    Can the FBI perform an independent proposal evaluation using\n      internal best value source selection procedures?\n\n2.    Can the FBI limit competition to certain primes based on the use\n      of a white paper down-selection, an advisory multi-step process,\n      or other FAR-compliant mechanisms?\n\n3.    Despite limited distribution of the RFP, are other primes able to\n      submit a proposal even if they did not receive the RFP?\n\n4.    What will be your role in the source selection process?\n\n5.    Upon completion of the source selection how long will it take to\n      award the contract?\n\n\n\n\n                                   63\n\x0cD. Contractor Teams\n\n1.   What are the restrictions on adding additional primes or\n     subcontractors?\n\n2.   Are there restrictions on the percentage of work that primes\n     must perform versus subs?\n\n3.   Are there any restrictions on teaming arrangements? Are there\n     any restrictions on prime contractors teaming with each other?\n\n\n\n\n                                 64\n\x0c                                                           APPENDIX 9\n\nGLOBAL JUSTICE XML DATA REFERENCE MODEL AND NATIONAL\n            INFORMATION EXCHANGE MODEL\n\n      The Global Justice XML Data Reference Model (GJXDM) is an\nExtensible Markup Language (XML) standard designed specifically for\ncriminal justice information exchanges, providing law enforcement,\npublic safety agencies, prosecutors, public defenders, and the judicial\nbranch with a tool to effectively share data and information in a timely\nmanner. The GJXDM removes the burden from agencies to\nindependently create exchange standards, and because of its ability to\ncover a variety of sources, there is more flexibility to deal with unique\nagency requirements and changes. Through the use of a common\nvocabulary that is understood system to system, GJXDM enables\naccess from multiple sources and reuse in multiple applications.\n\n       The National Information Exchange Model (NIEM) is an\n"umbrella" model that synchronizes domain-specific models such as\nGJXDM. According to a Department of Justice system architect, the\nNIEM project vision is to develop a national enterprise-wide framework\nto facilitate information sharing across all levels of government in\nsupport of justice, public safety, intelligence, and homeland security\nthereby improving America\xe2\x80\x99s security, while respecting the privacy\nrights of citizens and the autonomy of external agencies and domains.\n\n      The GJXDM and NIEM models can make information exchange\nsubstantially more efficient by serving as guidance on how to\ndocument information. The models provide a standardized language\nwhere everyone understands what each term means as well as provide\na vocabulary where people would be more likely to choose the same\nterms to describe the same thing. Upon that foundation, more specific\nstandards are created for more specific kinds of information sharing,\nparticularly for Sentinel and the Federal Investigative Case\nManagement System (FICMS).\n\n      The various ways in which a FICMS system will exchange\ninformation must be identified and documented, and then exchange\nstandards are built for each interface using GJXDM and NIEM. These\nexchange standards will define a significant portion of what FICMS is,\nin that compliance with these standards will be a necessary attribute of\nany FICMS system. In turn, these standards will be incorporated back\ninto GJXDM and NIEM for reuse in other kinds of systems as\nappropriate.\n\n\n                                   65\n\x0c     The Department created the GJXDM by gathering approximately\n16,000 data elements from 35 data dictionaries comprised of\nDepartment agencies as well as various local and state government\nsources. Currently, GJXDM consists of a defined and organized\nvocabulary of 2,754 reusable components.\n\n\n\n\n                               66\n\x0c                                         APPENDIX 10\n\nTHE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S RESPONSE TO THE\n                    DRAFT REPORT\n\n\n\n\n                         67\n\x0c68\n\x0c69\n\x0c                                                         APPENDIX 11\n\n    OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND\n  SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT\n\n      Pursuant to the OIG\xe2\x80\x99s standard audit process, the OIG provided\na draft of this audit report to the FBI on February 22, 2006, for its\nreview and comment. The FBI\xe2\x80\x99s March 3, 2006, response is included\nas Appendix 10 of this final report. The FBI concurred with the seven\nrecommendations in the audit report. Our analysis of the FBI\xe2\x80\x99s\nresponse to the seven recommendations is provided below.\n\nStatus of Recommendations\n\n1. Resolved. In response to this recommendation, the FBI stated that\nsteps are being taken to ensure that the system security and\nIndependent Verification and Validation (IV&V) plans will be completed\nas soon as possible. Because the system security plan is dependent\non the system design, the system security plan will not be finalized\nuntil the program\xe2\x80\x99s Critical Design Review. In the meantime, the\nSentinel Program Manager has assigned an Information Officer and\nInformation System Security Manager to coordinate system security\nrequirements with the prime developer. For the IV&V plan, the FBI is\nnearing completion of its efforts to obtain the services of an\nindependent contractor to support Sentinel and other projects. The\nFBI said it anticipates that an IV&V plan will be established during the\ndesign phase of development. This recommendation can be closed\nwhen we receive documentation demonstrating that the system\nsecurity and IV&V plans have been completed.\n\n2. Resolved. The FBI\xe2\x80\x99s response states that the Sentinel Program\nManager continues hiring critical government employees and support\nservice contractors as authorized by the Sentinel staffing plan. The\nFBI states that as of February 2006, more than two thirds of the\nprogram staff was in place, including all necessary staff to initiate the\ncontract award and commence Phase 1 development of Sentinel. Full\nstaffing is projected to be completed by June 2006, with some of the\ntransition and operations and maintenance positions being deferred\nuntil after commencement of the project\xe2\x80\x99s development. This\nrecommendation can be closed when we receive documentation\ndemonstrating that the Sentinel Program Management Office is staffed\nto fully support Sentinel.\n\n\n\n\n                                   70\n\x0c3. Resolved. In its response, the FBI stated that the Sentinel\nProgram Management Office (PMO) is procuring a tool to effectively\nimplement the Earned Value Management process, wInsight.\nAccording to the FBI, this tool will be fully compliant with the FBI\xe2\x80\x99s\nenterprise IT Portfolio Tool that is in the final stages of being certified\nand accredited by June 2006. This recommendation can be closed\nwhen we receive documentation demonstrating that the FBI has\nobtained and implemented a tool that will allow for the effective\nimplementation of an Earned Value Management process.\n\n4. Resolved. The FBI\xe2\x80\x99s response to this recommendation states that\nthe Sentinel PMO has a dedicated data architect working with the\nintelligence and law enforcement communities on information sharing\ncapabilities. This recommendation can be closed when we receive\ndocumentation demonstrating that the FBI has discussed with other\nintelligence and law enforcement agencies their information sharing\nrequirements to ensure compatibility with those systems in the\nrequirements and design of Sentinel.\n\n5. Resolved. In its response, the FBI states that it has already\nimplemented steps to ensure that all costs are authorized in advance,\nverified when delivered, and validated when invoiced. The Sentinel\nPMO has a dedicated Business Management Unit to track, monitor, and\ncontrol all program and development costs. Additionally, a separate,\ndedicated cost code has been established by the FBI\xe2\x80\x99s Chief Financial\nOfficer for Sentinel within the Office of the Chief Information Officer\n(OCIO) that allows for Sentinel, OCIO budget administration, and CFO\nteams to jointly track and control Sentinel costs through a Budgetary\nEvaluation and Analysis Reporting System tool and oversight process.\nThis recommendation can be closed when we receive documentation\ndemonstrating that the FBI has ensured that an effective system is in\nplace to accurately track and control Sentinel\xe2\x80\x99s development costs.\n\n6. Resolved. The FBI\xe2\x80\x99s response states that the FBI has included\nextensive requirements in Sentinel\xe2\x80\x99s Statement of Work for\nOrganizational Change Management to include training of all FBI staff\nat all locations. The development contractor is required to develop a\nSentinel training plan as part of its tasking, and Sentinel cost\nestimates already include this activity. This recommendation can be\nclosed when we receive documentation demonstrating that a\ncomprehensive training plan with realistic schedule and cost estimates\nhas been developed and that the training cost estimate is included in\noverall Sentinel project costs.\n\n\n\n                                     71\n\x0c7. Resolved. In response to this recommendation, the FBI said that it\nroutinely evaluates the operational impact of any reprogramming.\nSuch evaluations are included in the FBI\xe2\x80\x99s decision whether to submit\na request to Congress for the necessary approval to reprogram\nresources, and all reprogramming proposals include statements\nsummarizing the impact on current operations. This recommendation\ncan be closed when we receive documentation on the FBI\xe2\x80\x99s method for\nmonitoring the operational impact of a potential second\nreprogramming during Sentinel\xe2\x80\x99s development to identify for resolution\nany degrading of the FBI\xe2\x80\x99s mission-critical functions due to the\ndiversion of funds to the Sentinel project.\n\n\n\n\n                                 72\n\x0c'